FIPS Compliance in Avi Vantage

Overview

The Federal Information Processing Standard (FIPS) 140-2 is a U.S. and Canadian government standard developed by the National Institute of Standards and Technology (NIST) that defines the security standards for cryptographic modules. The FIPS 140-2 standard specifies and validates the cryptographic and operational requirements for the modules within security systems that protect sensitive information. These modules employ NIST-Approved security functions such as cryptographic algorithms, key sizes, key management and authentication techniques.

For a list of FIPS 140-2 Compliant Algorithms, refer to:

• Annexure A: Approved Security Functions for FIPS PUB 140-2, Security Requirements for Cryptographic Modules
• Annexure C: Approved Random Number Generators for FIPS PUB 140-2, Security Requirements for Cryptographic Modules.

VMware has specifically obtained FIPS 140-2 validation of the VMware’s OpenSSL FIPS Object Module v2.0.20-vmw that is used in Avi components.
VMware’s OpenSSL FIPS Object Module v2.0.20-vmw is a general-purpose cryptographic module that provides FIPS-approved cryptographic functions and services to various VMware’s products and components.
The module has been validated at the FIPS 140-2 security Level 1 and awarded Certificate #3550 by CMVP.

For more information, refer to the FIPS documentation in VMware.

FIPS Compliance for Avi

Starting from Avi Vantage version 20.1.5, Avi supports FIPS mode for the entire system:

• Control plane, comprising of Avi Controller or Controller cluster

• Data plane, comprising of Avi Service Engines

Note: For Avi Vantage versions 20.1.1 through 20.1.4, Avi supports FIPS mode only for Service Engines.

Avi Vantage uses the FIPS canister 2.0.20-vmw referred above, which is compliant with FIPS 140-2 Level 1 cryptography.

Supported Environments

FIPS supported when:

• The Avi Controller cluster is deployed in a VMware vSphere environment

• The Avi Service Engines are deployed in a VMware vSphere Environment, specifically the following cloud connectors:

  • VMware vCenter and NSX-T Cloud

  • No-Orchestrator Cloud running on VMware vSphere

FIPS is supported for a single-Controller as well as Controller cluster-based deployments.

Enabling FIPS Mode

Considerations

Consider the following while enabling FIPS mode for Avi Vantage:

• FIPS mode can be enabled only on deployments where there are no Service Engines present.

• FIPS mode will be enabled on the entire system, i.e. the Controller (all nodes in case of a cluster), as well as all Service Engines.

• There is no option to selectively enable FIPS for specific components (i.e only Controller, only Service Engines, or specific SE Groups).

• Once the Avi system is in FIPS mode, you cannot disable FIPs mode for the system

Enabling FIPS mode for a Single Controller Deployment

1. Ensure that the Controller does not have any Service Engines deployed. It is recommended to disable all virtual services and deleting any Service Engines which may be present.

2. Upload the controller.pkg file (i.e, the upgrade package) for the same Controller base version, to the Controller node. For example, if the Controller being used is on version 20.1.5, upload the 20.1.5 controller.pkg to the Controller.
   

   For step-by-step instructions on how to upload, refer to the Uploading Software section.

3. Enable FIPS mode via the CLI:

 [admin:avi-cntrl]: > system compliancemode fips_mode
 +----------------------+----------------------------------------------------------------------------------+
 | Field                | Value                                                                            |
 +----------------------+----------------------------------------------------------------------------------+
 | fips_mode            | True                                                                             |
 | common_criteria_mode | False                                                                            |
 | force                | False                                                                            |
 | details[1]           | 'Compliance mode transition started. Use 'show upgrade status' to check the stat |
 |                      | us.'                                                                             |
 +----------------------+----------------------------------------------------------------------------------+ 

The Controller will reboot and return online in FIPS mode.

Enabling FIPS mode for a Controller Cluster Deployment

1. Ensure that the Controller does not have any Service Engines deployed. It is recommended to disable all virtual services and deleting any Service Engines which may be present.

2. Create the Controller cluster before enabling FIPS.

3. Upload the controller.pkg file (i.e, the upgrade package) for the same Controller base version, to the leader node. For example, if the Controller being used is 20.1.5, upload the 20.1.5 controller.pkg to the leader.

   For step-by-step instructions on how to upload, refer to the Uploading Software section.

4. Enable FIPS mode via the CLI:

[admin:avi-cntrl]: > system compliancemode fips_mode
+----------------------+----------------------------------------------------------------------------------+
| Field                | Value                                                                            |
+----------------------+----------------------------------------------------------------------------------+
| fips_mode            | True                                                                             |
| common_criteria_mode | False                                                                            |
| force                | False                                                                            |
| details[1]           | 'Compliance mode transition started. Use 'show upgrade status' to check the stat |
|                      | us.'                                                                             |
+----------------------+----------------------------------------------------------------------------------+

The Controller nodes will reboot and return online in FIPS mode.

Verifying FIPS Mode

Use the following commands to verify that FIPS mode has been successfully enabled:

[admin:avi-cntrl]: > show version controller
+-----------------+--------------------------------------+-------+------+
| Controller Name | Version                              | Patch | Fips |
+-----------------+--------------------------------------+-------+------+
| 100.65.32.101   | 20.1.5(5000) 2021-04-15 09:36:00 UTC | -     | True |
+-----------------+--------------------------------------+-------+------+

[admin:admin-ctrl-write]: > show version serviceengine
No results.
[admin:avi-cntrl]: > show version serviceengine
+--------------+--------------------------------------+-------+------+
| SE Name      | Version                              | Patch | Fips |
+--------------+--------------------------------------+-------+------+
| Avi-se-rencf | 20.1.5(5000) 2021-04-15 09:36:00 UTC | -     | True |
| Avi-se-nvlwj | 20.1.5(5000) 2021-04-15 09:36:00 UTC | -     | True |
+--------------+--------------------------------------+-------+------+

Disaster Recovery Considerations

Restoring the Configuration to a new Controller Cluster

Restoring the Avi configuration from a FIPS enabled deployment can only be performed to a Controller which has FIPS mode enabled. Ensure that the destination Controller or Controller cluster has FIPS enabled before performing a configuration import.

Adding a new Controller node to a Cluster

A Controller cluster requires all the nodes to be FIPS enabled. If a Controller node needs to be replaced with a new Controller node, ensure that the new node has FIPS enabled, before adding it to the Controller cluster.

Upgrading a Deployment with FIPS Mode Enabled

Upgrade and Patch Upgrade in the FIPS mode, follow the same process as the non-FIPS deployments. No special considerations are required for FIPS deployments.

Disabling FIPS Mode

Disabling FIPS compliance mode is not supported.

Features Unavailable in the FIPS-Compliant Mode

On enabling FIP compliance in Avi Vantage, only cryptographic algorithms that are FIPS-compliant will be used. The following non-compliant modules will be unavailable in order to adhere to the FIPS 140-2 standards:

• RADIUS health monitor

  Note: RADIUS as an L4 application supported.

• In BGP, the setting of md5_secret for peers

• TLS v1.3 and 0-RTT (the enable_early_data option under the SSL Profile)

• Hardware Security Modules (HSM devices) such as Safenet and CloudHSM

• 1024 RSA Key

• The set of elliptic curves (EC) which are not supported as per VMware’s OpenSSL FIPS Object Module

• Async SSL (This is a feature under the SE Group that goes in tandem with the HSM configuration. This feature is not relevant when HSM is not allowed.)

• L7 Sideband

• HTTP(S) Health Monitor with NTML authentication

• HTTP cookie persistence key rotation

• Use of flushdb.sh for Controller recovery scenarios, is not supported. It is recommended to use clean_cluster.py. Both these scripts should be used under Avi Support team supervision.

Document Revision History

Date	Change Summary
April 16, 2021	Published the Feature KB for FIPS Compliance (Version 20.1.5)