Escolar Documentos
Profissional Documentos
Cultura Documentos
Transport Layer-
1. Multiplexing , Fragmentation ,
2. Port link Establishment (Default
3260)
3. Flow control Using Sliding Window
Protocol
4. Synchronize Out of order packet and
discarded Packet.
Internet Protocol Layer-
1. Network layer to IP-Based SAN
2. Maintains IP address
3. IP Routers & Switches used to
transfer iSCSI PDU.
Data Link Layer-
1. Gigabit Ethernet (GbE)
iSCSI- An Overview-
iSCSI is a transport protocol for SCSI iSCSI Connection and Session
that operates on top of TCP through establishment-
encapsulation of SCSI commands in a iSCSI Connection:
TCP/IP stream. It enables the transport 1. Verify a TCP connection over which
of I/O Block data over IP Networks. the initiator and target
communicate via iSCSI PDUs.
2. Verify uniquely identified in a
session by an initiator defined
connection ID (CID).
2
3. Verify the response and any data snooper to attack over the IP network and
associated with an iSCSI command perform the following harmful acts:
must be returned on the same 1. Hack the confidential data.
connection. 2. Inject error during data
iSCSI Session: transmission.
1. Verify a set of iSCSI connections 3. Alter the packets containing data
that link an iSCSI initiator and and SCSI command messages.
target. 4. Access passwords from iSCSI login
2. Verify uniquely identified by a 64 frame.
bit Session ID (SID) built from a 5. Reset the Connection and play havoc
48 bit initiator defined Initiator by attacking the security
Session ID (ISID) and a 16 bit negotiation process
target defined Target Session
Identifying Handle (TSIH). Details of Solution-
3. Verify resources of a target (i.e., In iSCSI, a SCSI command is encapsulated
LUNs) must be identical across all in TCP/IP packets and transferred between
connections that make up a session. a server (initiator) and a storage device
4. Verify commands can be alternated (target) via IP networks. Since standard
across all connections in a session SCSI commands are embedded in iSCSI,
for bandwidth aggregation. users can operate a remote storage device
5. Verify error recovery connections directly as if they were accessing to a
can be created on the same network local disk connected to the server. The
portal as a failed connection. frame structure is something like:-
Security at Risk-
The existing solution takes care of
Security Risk at the initial stage to
protect initial login attack. Initial
authentication mechanisms may include a
SRP to validate the integrity of the To start with we require the user to
sessions. So we are least bothered and provide with a password at the
taking care of active attacks on session application level. This password is pre-
authentication, and about active attacks shared between the initiator and the
on the TCP/IP sessions that result after target at the onset only. We would use
the authentication (e.g., TCP/IP this password later to generate a digital
Snooping), Since there is no strong signature at the iSCSI layer. Here we are
protection provided at iSCSI layer and IP going to have the first Hash Value
layer protection available at this stage. function which will use the pre-shared
password and generate a digital signature
which goes into the iSCSI frame. We will
add this piece of information in addition
to the iSCSI Header, the SCSI data or
command in the iSCSI frame.
The hash value function will work in the
following way:-
Let us look at this with the following network and is available with all the
diagram- devices in the network. The Address index
table is updated automatically as and
when new devices join or leave the
network.
The table will be something like this:-
Ethernet
Frame
Received
Yes
Filter
Hashed IP
Header
Yes
Reverse
HVF2+Hashe
d IP
Header =Origi
nal IP Header
Yes
Move frame
to TCP
Layer
Yes
Filter out
iSCSI PDU
Yes
Yes
Bona-fide SCSI
Frame. Access to
Storage or Target
Granted
Features:
1. The digital signature feature can
also be used in case of IPV6.
2. The address index table can be
administratively edited to allow or
deny devices participating in the
network.
3. Hash pair functionality can be
implemented either on a dedicated
piece of hardware i.e. offloading
the CPU computation onto a HBA
(Host Bus Adapter) or on Software
initiators and targets i.e. virtual
SCSI adapters.
Advantages:
1. Authentication and Confidentiality
– Ensures that the identities of
both the sender and the receiver of
a communication are authentic
5
Disadvantages-
1. Since we are not changing the frame
size, some amount of payload data
has to be compromised in order to
accommodate the digital signature.
Usage-
1. This mechanism can be used with
already existing infrastructure and
would be helpful in securing iSCSI
traffic. And the overall solution
would greatly minimize unauthorized
access to data and make the network
more robust.
Terms Used-
NIC – Network Interface Card
HBA – Host Bus Adaptor
PDU – Protocol Data Unit
HVF – Hash Value Function
References
[1] www.ietf.org/rfc/rfc3720.txt
[2]http://research.microsoft.com/users/mi
ronov/papers/hash_survey.pdf
Author's Address-
Madhukar Gunjan C
LSI Technologies India Pvt Ltd.
#4/1,Baneerghatta Road,
Bangalore-560076