IP Storage Protocols: iSCSI
John L Hufferd, Hufferd Enterprises
SNIA Legal Notice
The material contained in this tutorial is copyrighted by the SNIA unless otherwise noted. Member companies and individual members may use this material in presentations and literature under the following conditions: Any slide or slides used must be reproduced in their entirety without modification The SNIA must be acknowledged as the source of any material used in the body of any document containing material from these presentations. This presentation is a project of the SNIA Education Committee. Neither the author nor the presenter is an attorney and nothing in this presentation is intended to be, or should be construed as legal advice or an opinion of counsel. If you need legal advice or a legal opinion please contact your attorney. The information presented herein represents the author's personal opinion and current understanding of the relevant issues involved. The author, the presenter, and the SNIA do not assume any responsibility or liability for damages arising out of any reliance on or use of this information. NO WARRANTIES, EXPRESS OR IMPLIED. USE AT YOUR OWN RISK.
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 2 Abstract IP Storage Protocols: iSCSI
This session will explain the various parts of iSCSI Network encapsulations of iSCSI PDUs Session Relationship to SCSI and TCP/IP Connections iSCSI flow from Initiator to Target Error Recovery, Discovery and Security It will also explain Companion Processes Boot SLP iSNS And the session will describe iSCSI Environments From the small office, to the High End Enterprise This session is appropriate for end user and developers of iSCSI technologies
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 3 Terms
iSCSI - Internet SCSI NAS - Network Attached Storage Supports CIFS (Common Internet File System) protocols Supports NFS (Network File System) protocols FAN – File Area Networks Utilize IP Networks and NAS protocols HBA - Host Bus Adapter TOE - TCP/IP Offload Engine FC - Fibre Channel SAN - Storage Area Network Supports Block Storage Protocols (FC and iSCSI) iSAN – A Storage Area Network made up of iSCSI connections PDU - Protocol Data Unit
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 4 Agenda
Introduction iSCSI Features Error handling, Boot, Discovery iSCSI usage models iSCSI Security Q & A
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 5 Agenda
Introduction iSCSI Features Error Handling, Boot, Discovery iSCSI usage models iSCSI Security Q & A
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 6 Small Computer System Interconnect (SCSI)
Legacy Printers Scanners SCSI BUS (Almost completely replaced by Serial-SCSI for single system storage connections) Tapes ATA/SATA There are 2 main hard drive interface classes Disk available today: Desktop / Server •ATA (used mostly in desktop and laptop systems) Computer •Includes SATA which is becoming a larger presence in SCSI Disks server class systems/arrays •SCSI (used in server-class systems) • includes PSCSI, FC & SAS Note: ATA and SCSI drives with Serial attachments are called SATA and SAS
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 7 Systems with SCSI over Networks
Application Application Application
File System File System File System
Fibre Channel or Storage Area Network (SAN) iSCSI With Block I/O
Both Fibre Channel and iSCSI can makeup a SAN Replaces shared bus with switched fabric Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 8 iSCSI is:
Internet SCSI: internet Small Computer System Interconnect
iSCSI is a SCSI transport protocol for mapping of block-oriented storage data over TCP/IP networks
The iSCSI protocol enables universal access to storage devices and Storage Area Networks (SANs) over standard TCP/IP networks On Ethernet LANs: Copper & Optical On ATM WANs On SONET WANs Wireless Etc.
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 9 Data Encapsulation Into Network Packets
Ethernet Optional DATA TCP iSCSI SCSI FCS Header IP Cmds (CRC)
iSCSI Protocol Data Unit (PDU): Provides ordering and control information. Contains iSCSI control info, with optional SCSI Commands &/or Data
Provides Reliable data transport and delivery (TCP Windows, ACKs, ordering, etc.) Also demux within node (port numbers)
Provides IP “routing” capability so that packet can find its way through the network Provides physical network capability (Cat 5, MAC, etc.)
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 10 iSCSI Mapping
iSCSI PDU iSCSI Control Header Optional Data (with optional SCSI Command) Optional Header CRC Optional Data CRC
iSCSI PDU iSCSI PDU iSCSI PDU iSCSI PDU
Header Header with Header with Header Data Data & SCSI Command SCSI Cmd Only Control Info
IP packet IP packet IP packet IP packet IP packet IP packet IP packet IP packet
iSCSI PDU alignment with packets varies
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 11 iSCSI - Layered Model
Application I/O Layer Application Logical Unit Request
SCSI Interface
SCSI Class Driver SCSI Device SCSI Application SCSI Layer SCSI CDB (SCSI Initiator) Protocol (SCSI Target)
Interface iSCSI Protocol iSCSI Protocol iSCSI Protocol iSCSI PDU Services Services Layer iSCSI Transport Interface TCP TCP/IP TCP/IP segments TCP/IP TCP/IP TCP/IP TCP/IP TCP/IP Protocol TCP/IP in IP Datagrams iSCSI session
Data link + Data link + Ethernet Ethernet Physical Physical Frame Ethernet
Transparently encapsulates SCSI Command Descriptor Blocks (CDBs)
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 12 Application to LU Command Flow
Application
File System SCSI Layer Target Function (CDB Disk orTape Driver Passthrough) (SCSI Class Driver) HBA Driver Device Chip/HBA iSCSI
iSCSI Device Driver Driver Device SCSI HBA HBA
LU#1 LU#2 LU#3 HBA
(LU = Logical Unit) Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 13 Multiple Connections Between Hosts and Storage Controllers
Application Application
File System File System
Disk or Tape Driver (SCSI Class Driver) Disk or Tape Driver (SCSI Class Driver) WedgeDriver
iSCSI Device iSCSI Device Driver Driver iSCSI Device Driver
one Session two Sessions
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 15 iSCSI Integrity
iSCSI adds Cyclic Redundancy Check (CRC) CRC-32C - A 32 bit check word algorithm End to End Checking In addition to TCP/IP Checksums In addition to Ethernet Link layer Frame Check Sequence (FCS)
iSCSI’s CRC “check word” is called a “Digest”
iSCSI can have Digests for iSCSI Headers and Data Header Digest is optional to use (MUST implement) Insures correct operation and data placement Data Digest is optional to use (MUST implement) Insures data is unmodified through-out network path
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 16 iSCSI Message Types Called Protocol Data Units (PDUs)
Initiator to Target Target to Initiator NOP-out NOP-in SCSI Command SCSI Response Encapsulates a SCSI CDB Can contain status SCSI Task Mgmt Cmd SCSI Task Mgmt Rsp Login Command Login Response Text Command Text Response Including SendTargets – Used in iSCSI Discovery SCSI data-out SCSI data-in Output Data for Writes Input Data from Reads Logout Command Logout Response Ready to transfer R2T Async Event
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 17 Agenda
Introduction iSCSI Features Error Handling, Boot, Discovery iSCSI usage models iSCSI Security Q & A
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 18 iSCSI Error Handling
ErrorRecoveryLevel = 0 When iSCSI detects errors it will bring down the Session (all TCP connections within the Session) and restart it iSCSI will let the SCSI layer retry the operation ErrorRecoveryLevel = 1 Detected errors (Header or Data) causes PDUs to be discarded iSCSI will retransmit discarded commands iSCSI will retransmit discarded data ErrorRecoveryLevel = 2 Caused by loss of the TCP/IP connection Connection & Allegiance reestablishment Uses ErrorRecoveryLevel 1 to recover lost PDUs
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 19 Discovery via SendTargets
iSCSI Targets iSCSI Targets iSCSI Targets 10.1.40.27:3260 10.1.40.27:3260 10.1.40.27:3260 10.1.40.28:3260 Set 10.1.40.28:3260 10.1.40.28:3260 Discovery Target Addrs SendTargets SendTargets SendTargets
iSAN Set IP Addrs 10.1.40.27:3260 10.1.40.28:3260 and Sessions between ACLs Initators and Targets
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 20 Discovery via SLP
Get Addr of SLP DA from DHCP Get Addrs of Multicast to find SLP DA & DHCP Storage Cntrls from SLP Directory Get Addr of Storage Cntrls SLP DA Agent (DA) via Unicast
SA gets DA Addr from DHCP then Advertises its existence to DA SA Advertises its existence to DA via Multicast Note: Service Agent (SA) exist within Target Storage Ctlrs Sessions between Initiators and Targets Set Addr of Storage Cntlrs + 10.1.40.28:3260 10.1.40.27:3260 ACLs, and place Addr of SLP DA into DHCP
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 21 Discovery via iSNS
Gets location of iSNS from Gets location of iSNS from DHCP & Get Addr of Storage DHCP & Get Addr of Storage Cntrls from iSNS Cntrls from iSNS
DHCP
iSNS Server
Str Ctlr gets iSNS Str Ctlr gets iSNS Svr Addr from Svr Addr from DHCP then sends DHCP then sends its profile to iSNS its profile to iSNS
Set Addr of Storage Cntlrs + 10.1.40.28:3260 10.1.40.27:3260 ACLs and place Addr of iSNS into DHCP Sessions between Initiators and Targets
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 22 iSCSI Redirection
After attempting to Login at specified location: The specified Target may signal a redirection Temporary redirection Permanent redirection Redirection used for: Corrections between Discovery DB updates Admin or automatic Hardware disablement for Service Because of HW problems For load balancing
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 23 iSCSI Boot
Static configuration information for Boot Admin sets authorized iSCSI Target Node Name and iSCSI Address, Optional LUN Default LUN is 0 Dynamic configuration via use of DHCP, SLP, iSNS DHCP can be used by Host to get an IP address DHCP can hold the iSCSI Boot Service Option (Admin Set) May contain all that is needed to reach the Boot device May only contain iSCSI Target Node Name, then use SLP/iSNS to resolve to iSCSI address SLP, or iSNS can also be used to find the Boot location The Boot load process The Admin. or DHCP, SLP or iSNS can enable the access BootP/PXE is also possible as part of a SW two phase process HW HBA can act as a normal SCSI HBA for system BIOS use
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 24 Agenda
Introduction iSCSI Features Boot, Discovery, Error Handling iSCSI usage models IP Security Q & A
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 25 Now let’s look at the various environments where iSCSI is appropriate
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 26 Small Office Interconnect
Ethernet Switch Print Server
NAS Office iSCSI Server
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 27 IP Storage Combo -- NAS & iSCSI
Ethernet Switch Print Server NAS iSCSI
Office Server
Dual Dialect Block and File I/O
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 28 Midrange Environment
Desktops and Laptops Servers iSCSI HBA & TOE Dhip
iSCSI HBA & TOE iSCSI Dhip HBA & TOE
iSCSI Chip HBA & TOE Ethernet Switch Dhip
iSCSI HBA & TOE Dhip Cat.5 Ethernet Cables Ethernet Switch
iSCSI iSCSI
NAS iSCSI iSCSI iSCSI & TOE iSCSI Dhip & TOE
iSCSI Chip HBA & TOE iSCSI to FC Dhip Bridge FC
iSCSI Dual Dialect
FC Disk Storage
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 29 Combining of FC and iSCSI
Management FC-iSCSI Router Platforms registers FC devices can view and manage WWN and iSCSI Name both iSCSI and alias. Both iSCSI and Management FC devices by FC identities are iSNS Server Platform stored in the iSNS interacting with iSNS iSCSI Tape iSCSI server server Library 1 iSCSI iSCSI Tape Initiator 2 Library 2 Initiator 1
IP Network
FC-iSCSI FC-iSCSI Other FC fabrics Gateway can be joined over Gateway common IP FC Fabric FC JBOD: WWN=X, FC Fabric network. iSCSI Name = abc‘ ’ Other gateways FC JBOD: FC Server: WWN=Y, can discover open FC Server: WWN = X iSCSI Name = xyz‘ ’ FC JBOD: mapping by WWN = Y WWN = X FC Server: querying iSNS WWN = Z
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 30 High-End Environment
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 31 Campus Network
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 32 Satellite and Central System/Storage
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 33 At-Distance
* Special Tuning/Equipment usually required for large distances Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 34 Web Server Installation
Internet Links
Ethernet Links
NAS iSCSI
iSCSI HBA & TOE Chip iSCSI HBA & TOE Chip Ethernet Switch Web Server Systems iSCSI SAN Dual Dialect iSCSI & TOE Chip
iSCSI & TOE iSCSI to/from Chip FC Routing Switches FC SAN iSCSI iSCSI SATA
Disk and Tape FC Storage Controllers
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 35 Peaceful Co-existence iSAN & NAS
Note: File Area Network (FAN) utilizes IP Networks and NAS protocols
NAS iSCSI-Gateway
Supports both iSCSI and NAS (a Dual Dialect combination)
iSCSI RAID Ctlrs
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 36 Agenda
Introduction iSCSI Features Boot, Discovery, Error Handling iSCSI usage models iSCSI Security Q & A
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 37 Security Properties
Connection Authentication: Who are you? Prove it! Mutual Authentication: Initiator to Target AND vice-versa Packet Integrity: Has this data been tampered with? Cryptographic Packet by Packet authentication & integrity check, not just checksum or CRC Anti-Replay to prevent regeneration attack Privacy: Encryption of the Data Authorization: What are you allowed to do? iSCSI: Who can connect to which Target LUN masking & mapping handled by SCSI, not iSCSI iSCSI Security Features: Must be implemented but are Optional to use Subject to negotiation
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 38 iSCSI Security Considerations
. Connection Authentication is iSCSI way to determine trustworthiness via CHAP -- Challenge Handshake Authentication Protocol with strong secrets is required Can’t use passwords Stronger than basic CHAP when specification is followed SRP -- Secure Remote Password Kerberos -- A Third Party Authentication protocol SPKM-1,SPKM-2 -- Simple Public Key Mechanism
. Connection Security may be used with or without IPsec’s Packet Security: Packet Authentication Origin assurance Anti-Reply protection Privacy Encryption
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 39 Conclusions iSCSI is the Network Storage Alternative
The performance on 1Gb Ethernet networks is “Good Enough” for many applications Host systems can use the cost effective software iSCSI Initiators to great effect at 1Gb Host system can use the low overhead of HW iSCSI HBA for Initiators to great effect at 10Gb With link aggregation and Ethernet networks moving to 10Gb, most storage networking needs can be handled by iSCSI iSCSI is not just a Low-End protocol but will also apply to the High End environments. The use of the new Ethernet known as DCB, along with the L2 Multipathing (e.g. Trill) should greatly enhance iSCSI performance
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 41 iSCSI References
Both Books Published by Addison-Wesley Available in Book Stores and Amazon.com
Volume purchases available
The detail specification can be found at http://www.ietf.org/rfc/rfc3720.txt?number=3720
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 42 Other Information
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 43 Attribution & Feedback
The SNIA Education Committee would like to thank the following individuals for their contributions to this Tutorial.
Authorship History Additional Contributors
Original Author: John L. Hufferd / Fall 2004 Members of the SNIA IP Storage Forum David Black Updates: David Dale John Hufferd John L. Hufferd / Spring & Fall 2005-2012 Peter Hunt Howard Goldstein Gary Orenstein Ahmad Zamer
Please send any questions or comments regarding this SNIA Tutorial to [email protected] Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 44 Appendix
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 45 CHAP Authentication Protocol
Based on shared secret, random challenge Uses a secure (one-way) hash, usually MD5 One-way hash: Computationally infeasible to invert
Secret Challenge Secret
Hash Hash Response = ? Can be outsourced to RADIUS server Host Storage
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 46 iSCSI with IPsec
Initiator Opens Socket connection to Target
IKE (Internet Key Exchange) is performed to Pre-shared Key (or Certificate) authenticate & obtain encryption key for IPSec
Create encryption key Target Port is Message engaged Message is sent on Open Socket
Create encryption key
Message
Message is delivered to Target's Listening Port
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 47 Spreading v. Centralizing the File System Overhead
Block I/O (including iSCSI) spread the File NAS Clients move the File System System overhead across all the Clients overhead to the NAS server
NAS Servers centralizes the File Block I/O (including iSCSI) Storage System functions (and overhead) for Controllers just store the I/O blocks all its clients into the NAS Server where the Client File System requests Plus the NAS Server still must map (perhaps with Virtualizing LUN Mapping) the resultant Blocks onto the Storage (perhaps with Virtualizing LUN Mapping) The non TCP/IP Server side overhead can be many times higher in NAS Servers than Block I/O (iSCSI) Storage Controllers Therefore, as a rule of thumb: use NAS for File Sharing and iSCSI for Block IP Storage
Insert tutorial title in footer © 2012 Storage Networking Industry Association. All Rights Reserved. 48