IP Storage Protocols: iscsi. John L Hufferd, Consultant Hufferd Enterprises

Transcription

1 John L Hufferd, Consultant Hufferd Enterprises

2 SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material in presentations and literature under the following conditions: Any slide or slides used must be reproduced in their entirety without modification The SNIA must be acknowledged as the source of any material used in the body of any document containing material from these presentations. This presentation is a project of the SNIA Education Committee. Neither the author nor the presenter is an attorney and nothing in this presentation is intended to be, or should be construed as legal advice or an opinion of counsel. If you need legal advice or a legal opinion please contact your attorney. The information presented herein represents the author's personal opinion and current understanding of the relevant issues involved. The author, the presenter, and the SNIA do not assume any responsibility or liability for damages arising out of any reliance on or use of this information. NO WARRANTIES, EXPRESS OR IMPLIED. USE AT YOUR OWN RISK. 2

3 Abstract This session will explain the various parts of Network encapsulations of PDUs Session Relationship to SCSI and TCP/IP Connections flow from Initiator to Target Error Recovery, Discovery and Security It will also explain Companion Processes Boot SLP isns And the session will describe Environments From the small office, to the High End Enterprise This session is appropriate for end user and developers of technologies 3

4 Terms - Internet SCSI NAS - Network Attached Storage Supports CIFS (Common Internet File System) protocols Supports NFS (Network File System) protocols FAN File Area Networks Utilize IP Networks and NAS protocols HBA - Host Bus Adapter TOE - TCP/IP Offload Engine FC - Fibre Channel SAN - Storage Area Network Supports Block Storage Protocols (FC and ) isan A Storage Area Network made up of connections PDU - Protocol Data Unit 4

5 Agenda Introduction Features Error handling, Boot, Discovery usage models Security Q & A 5

6 Agenda Introduction Features Error Handling, Boot, Discovery usage models Security Q & A 6

7 Small Computer System Interconnect (SCSI) Scanners Legacy SCSI BUS (Almost completely replaced by Serial-SCSI for single system storage connections) Printers Desktop / Server Computer ATA/SATA Disk SCSI Disks Note: ATA and SCSI drives with Serial attachments are called SATA and SAS Tapes There are 2 main hard drive interface classes available today: ATA (used mostly in desktop and laptop systems) Includes SATA which is becoming a larger presence in server class systems/arrays SCSI (used in server-class systems) includes PSCSI, FC & SAS 7

8 Systems with SCSI over Networks Application File System Application File System Application File System Fibre Channel or Storage Area Network (SAN) With Block I/O Both Fibre Channel and can makeup a SAN Replaces shared bus with switched fabric 8

9 is: Internet SCSI: internet Small Computer System Interconnect is a SCSI transport protocol for mapping of block-oriented storage data over TCP/IP networks The protocol enables universal access to storage devices and Storage Area Networks (SANs) over standard TCP/IP networks On Ethernet LANs: Copper & Optical On ATM WANs On SONET WANs Wireless Etc. 9

10 Data Encapsulation Into Network Packets Ethernet Header IP TCP SCSI Cmds Optional DATA FCS (CRC) Protocol Data Unit (PDU): Provides ordering and control information. Contains control info, with optional SCSI Commands &/or Data Provides Reliable data transport and delivery (TCP Windows, ACKs, ordering, etc.) Also demux within node (port numbers) Provides IP routing capability so that packet can find its way through the network Provides physical network capability (Cat 5, MAC, etc.) 10

11 Mapping Control Header (with optional SCSI Command) PDU Optional Header CRC Optional Data Optional Data CRC PDU PDU PDU PDU Header & SCSI Command Header Data Header with SCSI Cmd Data Header with Only Control Info IP packet IP packet IP packet IP packet IP packet IP packet IP packet IP packet PDU alignment with packets varies 11

12 - Layered Model Application Layer Application I/O Request Logical Unit SCSI Interface SCSI Layer SCSI Class Driver (SCSI Initiator) SCSI Application Protocol SCSI Device (SCSI Target) SCSI CDB Protocol Layer Protocol Services Interface Protocol Services PDU TCP/IP TCP/IP TCP/IP TCP/IP Transport Interface TCP/IP Protocol session TCP/IP TCP/IP TCP/IP TCP segments in IP Datagrams Ethernet Data link + Physical Data link + Physical Ethernet Frame Ethernet Transparently encapsulates SCSI Command Descriptor Blocks (CDBs) 12

13 Application to LU Command Flow Application File System Disk ortape Driver (SCSI Class Driver) Device Driver HBA Chip/HBA Device Driver SCSI Layer Target Function (CDB Passthrough) SCSI HBA Device Driver HBA HBA LU#1 LU#2 LU#3 (LU = Logical Unit) 13

14 Multiple Connections Between Hosts and Storage Controllers Application Application File System Disk or Tape Driver (SCSI Class Driver) File System Disk or Tape Driver (SCSI Class Driver) WedgeDriver Device Driver Device Driver Device Driver one Session two Sessions 15

15 Integrity adds Cyclic Redundancy Check (CRC) CRC-32C - A 32 bit check word algorithm End to End Checking In addition to TCP/IP Checksums In addition to Ethernet Link layer Frame Check Sequence (FCS) s CRC check word is called a Digest can have Digests for Headers and Data Header Digest is optional to use (MUST implement) Insures correct operation and data placement Data Digest is optional to use (MUST implement) Insures data is unmodified through-out network path 16

16 Message Types Called Protocol Data Units (PDUs) Initiator to Target NOP-out SCSI Command Encapsulates a SCSI CDB SCSI Task Mgmt Cmd Login Command Text Command Including SendTargets Used in Discovery SCSI data-out Output Data for Writes Logout Command Target to Initiator NOP-in SCSI Response Can contain status SCSI Task Mgmt Rsp Login Response Text Response SCSI data-in Input Data from Reads Logout Response Ready to transfer R2T Async Event 17

17 Agenda Introduction Features Error Handling, Boot, Discovery usage models Security Q & A 18

18 Error Handling ErrorRecoveryLevel = 0 When detects errors it will bring down the Session (all TCP connections within the Session) and restart it will let the SCSI layer retry the operation ErrorRecoveryLevel = 1 Detected errors (Header or Data) causes PDUs to be discarded will retransmit discarded commands will retransmit discarded data ErrorRecoveryLevel = 2 Caused by loss of the TCP/IP connection Connection & Allegiance reestablishment Uses ErrorRecoveryLevel 1 to recover lost PDUs 19

19 Discovery via SendTargets Targets : :3260 SendTargets Targets : :3260 SendTargets Targets : :3260 SendTargets Set Discovery Target Addrs isan Sessions between Initators and Targets : :3260 Set IP Addrs and ACLs 20

20 Discovery via SLP SLP Directory Agent (DA) Multicast to find SLP DA & Get Addr of Storage Cntrls DHCP Get Addr of SLP DA from DHCP Get Addrs of Storage Cntrls from SLP DA via Unicast SA Advertises its existence to DA via Multicast Sessions between Initiators and Targets :3260 Set Addr of Storage Cntlrs + ACLs, and place Addr of SLP DA into DHCP :3260 SA gets DA Addr from DHCP then Advertises its existence to DA Note: Service Agent (SA) exist within Target Storage Ctlrs 21

21 Discovery via isns Gets location of isns from DHCP & Get Addr of Storage Cntrls from isns Gets location of isns from DHCP & Get Addr of Storage Cntrls from isns DHCP isns Server Str Ctlr gets isns Svr Addr from DHCP then sends its profile to isns Str Ctlr gets isns Svr Addr from DHCP then sends its profile to isns :3260 Set Addr of Storage Cntlrs + ACLs and place Addr of isns into DHCP :3260 Sessions between Initiators and Targets 22

22 Redirection After attempting to Login at specified location: The specified Target may signal a redirection Temporary redirection Permanent redirection Redirection used for: Corrections between Discovery DB updates Admin or automatic Hardware disablement for Service Because of HW problems For load balancing 23

23 Boot Static configuration information for Boot Admin sets authorized Target Node Name and Address, Optional LUN Default LUN is 0 Dynamic configuration via use of DHCP, SLP, isns DHCP can be used by Host to get an IP address DHCP can hold the Boot Service Option (Admin Set) May contain all that is needed to reach the Boot device May only contain Target Node Name, then use SLP/iSNS to resolve to address SLP, or isns can also be used to find the Boot location The Boot load process The Admin. or DHCP, SLP or isns can enable the access BootP/PXE is also possible as part of a SW two phase process HW HBA can act as a normal SCSI HBA for system BIOS use 24

24 Agenda Introduction Features Boot, Discovery, Error Handling usage models IP Security Q & A 25

25 Now let s look at the various environments where is appropriate 26

26 Small Office Interconnect Ethernet Print Server Switch Office Server NAS 27

27 IP Storage Combo -- NAS & Ethernet Print Server Switch NAS Office Server Dual Dialect Block and File I/O 28

28 & TOE Dhip & TOE Dhip & TOE Dhip & TOE Dhip & TOE Dhip Midrange Environment Desktops and Laptops HBA Servers Ethernet Switch HBA HBA HBA & TOE Chip Cat.5 Ethernet Cables Ethernet Switch HBA to FC Bridge FC NAS HBA & TOE Dhip & TOE Chip Dual Dialect FC Disk Storage 29

29 Combining of FC and Tape Library 2 Initiator 2 FC- Router registers FC devices WWN and Name alias. Both and FC identities are stored in the isns server isns Server Management Platform Tape Library 1 Management Platforms can view and manage both and FC devices by interacting with isns server Initiator 1 IP Network FC- Gateway FC Fabric FC JBOD: WWN = X FC JBOD: WWN=X, Name = abc FC Server: WWN=Y, FC Server: Name = xyz WWN = Y FC JBOD: WWN = X FC- Gateway FC Fabric FC Server: WWN = Z Other FC fabrics can be joined over common IP network. Other gateways can discover open mapping by querying isns 30

30 High-End Environment 31

31 Campus Network 32

32 Satellite and Central System/Storage 33

33 At-Distance * Special Tuning/Equipment usually required for large distances 34

34 & TOE Chip Web Server Installation Internet Links Ethernet Links NAS Web Server Systems Ethernet Switch SAN HBA Dual Dialect HBA & TOE Chip & TOE Chip FC SAN to/from FC Routing Switches & TOE Chip SATA Disk and Tape FC Storage Controllers 35

35 Peaceful Co-existence isan & NAS Note: File Area Network (FAN) utilizes IP Networks and NAS protocols NAS -Gateway Supports both and NAS (a Dual Dialect combination) RAID Ctlrs 36

36 Agenda Introduction Features Boot, Discovery, Error Handling usage models Security Q & A 37

37 Security Properties Connection Authentication: Who are you? Prove it! Mutual Authentication: Initiator to Target AND vice-versa Packet Integrity: Has this data been tampered with? Cryptographic Packet by Packet authentication & integrity check, not just checksum or CRC Anti-Replay to prevent regeneration attack Privacy: Encryption of the Data Authorization: What are you allowed to do? : Who can connect to which Target LUN masking & mapping handled by SCSI, not Security Features: Must be implemented but are Optional to use Subject to negotiation 38

38 Security Considerations Connection Authentication is way to determine trustworthiness via CHAP -- Challenge Handshake Authentication Protocol with strong secrets is required Can t use passwords Stronger than basic CHAP when specification is followed SRP -- Secure Remote Password Kerberos -- A Third Party Authentication protocol SPKM-1,SPKM-2 -- Simple Public Key Mechanism Connection Security may be used with or without IPsec s Packet Security: Packet Authentication Origin assurance Anti-Reply protection Privacy Encryption 39

39 Conclusions

40 is the Network Storage Alternative The performance on 1Gb Ethernet networks is Good Enough for many applications Host systems can use the cost effective software Initiators to great effect at 1Gb Host system can use the low overhead of HW HBA for Initiators to great effect at 10Gb With link aggregation and Ethernet networks moving to 10Gb, most storage networking needs can be handled by is not just a Low-End protocol but will also apply to the High End environments. 41

41 References Both Books Published by Addison-Wesley Available in Book Stores and Amazon.com Volume purchases available The detail specification can be found at 42

42 Q&A / Feedback Please send any questions or comments on this presentation to SNIA: tracknetworking@snia.org Many thanks to the following Group and individuals for their contributions to this tutorial. SNIA Education Committee Members of the SNIA IP Storage Forum David Black David Dale John Hufferd Peter Hunt Howard Goldstein Gary Orenstein Ahmad Zamer 43

43 Appendix 44

44 CHAP Authentication Protocol Based on shared secret, random challenge Uses a secure (one-way) hash, usually MD5 One-way hash: Computationally infeasible to invert Secret Challenge Secret Hash Response Host Hash Storage =? Can be outsourced to RADIUS server 45

45 with IPsec Initiator Opens Socket connection to Target IKE (Internet Key Exchange) is performed to authenticate & obtain encryption key for IPSec Pre-shared Key (or Certificate) Target Port is engaged Create encryption key Message Message is sent on Open Socket Create encryption key Message Message is delivered to Target's Listening Port 46

46 Spreading v. Centralizing the File System Overhead Block I/O (including ) spread the File System overhead across all the Clients NAS Clients move the File System overhead to the NAS server Block I/O (including ) Storage Controllers just store the I/O blocks where the Client File System requests (perhaps with Virtualizing LUN Mapping) NAS Servers centralizes the File System functions (and overhead) for all its clients into the NAS Server Plus the NAS Server still must map the resultant Blocks onto the Storage (perhaps with Virtualizing LUN Mapping) The non TCP/IP Server side overhead can be many times higher in NAS Servers than Block I/O () Storage Controllers Therefore, as a rule of thumb: use NAS for File Sharing and for Block IP Storage 47