Monday, February 22, 2010

iSCSI(Internet Small Computer System Interface)

In computing, iSCSI (pronounced /аɪsˈkʌzi/ or eye-scuzzy), is an Internet Protocol (IP)-based storage networking standard for linking data storage facilities. By carrying SCSI commands over IP networks, iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. iSCSI can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval. The protocol allows clients (called initiators) to send SCSI commands (CDBs) to SCSI storage devices (targets) on remote servers. It is a popular storage area network (SAN) protocol, allowing organizations to consolidate storage into data center storage arrays while providing hosts (such as database and web servers) with the illusion of locally-attached disks. Unlike traditional Fibre Channel, which requires special-purpose cabling, iSCSI can be run over long distances using existing network infrastructure.
FunctionalityiSCSI uses TCP/IP (typically TCP ports 860 and 3260). In essence, iSCSI simply allows two hosts to negotiate and then exchange SCSI commands using IP networks. By doing this iSCSI takes a popular high-performance local storage bus and emulates it over wide-area networks, creating a storage area network (SAN). Unlike some SAN protocols, iSCSI requires no dedicated cabling; it can be run over existing switching and IP infrastructure. However, the performance of an iSCSI SAN deployment can be severely degraded if not operated on a dedicated network or subnet (LAN or VLAN). As a result, iSCSI is often seen as a low-cost alternative to Fibre Channel, which requires dedicated infrastructure. However, Fiber Channel over Ethernet or FCoE does not require dedicated infrastructure.
Although iSCSI can communicate with arbitrary types of SCSI devices, system administrators almost always use it to allow server computers (such as database servers) to access disk volumes on storage arrays. iSCSI SANs often have one of two objectives:
Storage consolidation Organizations move disparate storage resources from servers around their network to central locations, often in data centers; this allows for more efficiency in the allocation of storage. In a SAN environment, a server can be allocated a new disk volume without any change to hardware or cabling. Disaster recovery Organizations mirror storage resources from one data center to a remote data center, which can serve as a hot standby in the event of a prolonged outage. In particular, iSCSI SANs allow entire disk arrays to be migrated across a WAN with minimal configuration changes, in effect making storage "routable" in the same manner as network traffic. Network bootingFor general data storage on an already-running computer, any type of generic network interface may be used to access iSCSI devices. However, a generic consumer-grade network interface is not able to boot a diskless computer from a remote iSCSI data source. Instead it is commonplace for a server to load its initial operating system from a small local RAID mirror or flash drive boot device, and then use iSCSI for data storage once booting from the local device has finished.
A separate DHCP server may be configured to assist interfaces equipped with network boot capability to be able to boot over iSCSI. In this case the network interface looks for a DHCP server offering a PXE or bootp boot image. This is used to kick off the iSCSI remote boot process, using the booting network interface's MAC address to direct the computer to the correct iSCSI boot target.
Specialized iSCSI interfaces are available with built-in BIOS functionality that allows the interface to be preassigned to an iSCSI target, and be able to boot from it without additional help from a boot server, thereby reducing the network configuration complexity.
Concepts[edit] InitiatorFurther information: SCSI initiatorAn initiator functions as an iSCSI client. An initiator typically serves the same purpose to a computer as a SCSI bus adapter would, except that instead of physically cabling SCSI devices (like hard drives and tape changers), an iSCSI initiator sends SCSI commands over an IP network. An initiator falls into two broad types:
Software initiator A software initiator uses code to implement iSCSI. Typically, this happens in a kernel-resident device driver that uses the existing network card (NIC) and network stack to emulate SCSI devices for a computer by speaking the iSCSI protocol. Software initiators are available for most mainstream operating systems, and this type is the most common mode of deploying iSCSI on computers. Hardware initiator A hardware initiator uses dedicated hardware, typically in combination with software (firmware) running on that hardware, to implement iSCSI. A hardware initiator mitigates the overhead of iSCSI and TCP processing and Ethernet interrupts, and therefore may improve the performance of servers that use iSCSI. Host Bus AdapterAn iSCSI host bus adapter (more commonly, HBA) implements a hardware initiator. A typical HBA is packaged as a combination of a Gigabit (or 10 Gigabit) Ethernet NIC, some kind of TCP/IP offload engine (TOE) technology and a SCSI bus adapter, which is how it appears to the operating system.
An iSCSI HBA can include PCI option ROM to allow booting from an iSCSI target.
TCP Offload EngineMain article: TCP Offload EngineA TCP Offload Engine, or "TOE Card", offers an alternative to a full iSCSI HBA. A TOE "offloads" the TCP/IP operations for this particular network interface from the host processor, freeing up CPU cycles for the main host applications. When a TOE is used rather than an HBA, the host processor still has to perform the processing of the iSCSI protocol layer itself, but the CPU overhead for that task is low.
iSCSI HBAs or TOEs are used when the additional performance enhancement justifies the additional expense of using an HBA for iSCSI, rather than using a software-based iSCSI client (initiator).
TargetFurther information: SCSI targetiSCSI specification refers to a storage resource located on an iSCSI server (more generally, one of potentially many instances of iSCSI storage nodes running on that server) as a target. An iSCSI target usually represents hard disk storage that works over the IP or Ethernet networks. "iSCSI target" should not be confused with the term "iSCSI" as the latter is a protocol and not a storage server instance.
As with initiators, software to provide an iSCSI target is available for most mainstream operating systems. Common deployment scenarios for an iSCSI target include:
Storage arrayIn a data center or enterprise environment, an iSCSI target often resides in a large storage array, such as a NetApp filer or an EMC NS-series computer appliance. A storage array usually provides distinct iSCSI targets for numerous clients.[1]
Software targetSome mainstream server operating systems (like FreeBSD, Linux, Solaris) along with some specific-purpose operating systems (like Openfiler or FreeNAS or Windows Storage Server or Windows Unified Data Storage Server) can provide free iSCSI Target functionality implemented in software. Windows Storage Server components are not intended to be used for production environments in such a case.
Logical Unit NumberMain article: Logical Unit NumberIn SCSI terminology, LUN stands for logical unit number. A LUN represents an individually addressable (logical) SCSI device that is part of a physical SCSI device (target). In an iSCSI environment, LUNs are essentially numbered disk drives. An initiator negotiates with a target to establish connectivity to a LUN; the result is an iSCSI connection that emulates a connection to a SCSI hard disk. Initiators treat iSCSI LUNs the same way as they would a raw SCSI or IDE hard drive; for instance, rather than mounting remote directories as would be done in NFS or CIFS environments, iSCSI systems format and directly manage filesystems on iSCSI LUNs.
In enterprise deployments, LUNs usually represent slices of large RAID disk arrays, often allocated one per client. iSCSI imposes no rules or restrictions on multiple computers sharing individual LUNs; it leaves shared access to a single underlying filesystem as a task for the operating system.
AddressingSpecial names refer to both iSCSI initiators and targets. iSCSI provides three name-formats:
iSCSI Qualified Name (IQN) Format: iqn.yyyy-mm.{reversed domain name} (e.g. iqn.2001-04.com.acme:storage.tape.sys1.xyz) (Note: there is an optional colon with arbitrary text afterwards. This text is there to help better organize or label resources.) Extended Unique Identifier (EUI) Format: eui.{EUI-64 bit address} (e.g. eui.02004567A425678D) T11 Network Address Authority (NAA) Format: naa.{NAA 64 or 128 bit identifier} (e.g. naa.52004567BA64678D) IQN format addresses occur most commonly. They are qualified by a date (yyyy-mm) because domain names can expire or be acquired by another entity.
The IEEE Registration authority provides EUI in accordance with the EUI-64 standard. NAA is part OUI which is provided by the IEEE Registration Authority. NAA name formats were added to iSCSI in RFC 3980, to provide compatibility with naming conventions used in Fibre Channel and Serial Attached SCSI (SAS) storage technologies.
Usually an iSCSI participant can be defined by three or four fields:
Hostname or IP Address (e.g., "iscsi.example.com") Port Number (e.g., 3260) iSCSI Name (e.g., the IQN "iqn.2003-01.com.ibm:00.fcd0ab21.shark128") An optional CHAP Secret (e.g., "secretsarefun") [edit] iSNSMain article: Internet Storage Name ServiceiSCSI initiators can locate appropriate storage resources using the Internet Storage Name Service (iSNS) protocol. In theory, iSNS provides iSCSI SANs with the same management model as dedicated Fibre Channel SANs. In practice, administrators can satisfy many deployment goals for iSCSI without using iSNS.
Security[edit] AuthenticationiSCSI initiators and targets prove their identity to each other using the CHAP protocol, which includes a mechanism to prevent cleartext passwords from appearing on the wire. By itself, the CHAP protocol is vulnerable to dictionary attacks, spoofing, or reflection attacks. If followed carefully, the rules for using CHAP within iSCSI prevent most of these attacks.[2]
Additionally, as with all IP-based protocols, IPsec can operate at the network layer. The iSCSI negotiation protocol is designed to accommodate other authentication schemes, though interoperability issues limit their deployment.
Logical network isolationTo ensure that only valid initiators connect to storage arrays, administrators most commonly run iSCSI only over logically-isolated backchannel networks. In this deployment architecture, only the management ports of storage arrays are exposed to the general-purpose internal network, and the iSCSI protocol itself is run over dedicated network segments or virtual LANs (VLAN). This mitigates authentication concerns; unauthorized users aren't physically provisioned for iSCSI, and thus can't talk to storage arrays. However, it also creates a transitive trust problem, in that a single compromised host with an iSCSI disk can be used to attack storage resources for other hosts.
Physical network isolationWhile iSCSI can be logically isolated from the general network using VLANs only, it is still no different from any other network equipment and may use any cable or port as long as there is a completed signal path between source and target. Just a single cabling mistake by an inexperienced network technician can compromise the barrier of logical separation, and an accidental bridging may not be immediately detected because it does not cause network errors.
In order to further differentiate iSCSI from the regular network and prevent cabling mistakes when changing connections, administrators may implement self-defined color coding and labeling standards, such as only using yellow-colored cables for the iSCSI connections and only blue cables for the regular network, and clearly labeling ports and switches used only for iSCSI.
While iSCSI could be implemented as just a VLAN cluster of ports on a large multi-port switch that is also used for general network usage, the administrator may instead choose to use physically separate switches dedicated to iSCSI VLANs only, to further prevent the possibility of an incorrectly connected cable plugged into the wrong port bridging the logical barrier.
AuthorizationBecause iSCSI aims to consolidate storage for many servers into a single storage array, iSCSI deployments require strategies to prevent unrelated initiators from accessing storage resources. As a pathological example, a single enterprise storage array could hold data for servers variously regulated by the Sarbanes-Oxley Act for corporate accounting, HIPAA for health benefits information, and PCI DSS for credit card processing. During an audit, storage systems must demonstrate controls to ensure that a server under one regime cannot access the storage assets of a server under another.
Typically, iSCSI storage arrays explicitly map initiators to specific target LUNs; an initiator authenticates not to the storage array, but to the specific storage asset it intends to use. However, because the target LUNs for SCSI commands are expressed both in the iSCSI negotiation protocol and in the underlying SCSI protocol, care must be taken to ensure that access control is provided consistently.
Confidentiality and integrity This section needs additional citations for verification.Please help improve this article by adding reliable references. Unsourced material may be challenged and removed. (July 2009)
For the most part, iSCSI operates as a cleartext protocol that provides no cryptographic protection for data in motion during SCSI transactions. As a result, an attacker who can listen in on iSCSI Ethernet traffic can:
reconstruct and copy the files and filesystems being transferred on the wire alter the contents of files by injecting fake iSCSI frames corrupt filesystems being accessed by initiators, exposing servers to software flaws in poorly-tested filesystem code. These problems do not occur only with iSCSI, but rather apply to any IP-based SAN protocol without cryptographic security. Adoption and deployment of IPsec, frequently cited as a solution to the IP SAN security problem, has been hampered by performance and compatibility issues.[citation needed]
Industry support[edit] Operating-system supportThe dates that appear in the following table might be misleading. It is known for example that IBM delivered an iSCSI storage device (NAS200i) in 2001 for use with Windows NT, Windows 2000 [1] and Linux [2]
OS First release date Version Features i5/OS 2006-10 i5/OS V5R4M0 Target, Multipath VMware ESX 2006-06 ESX 3.5.0, ESX 4.0 Initiator, Multipath AIX 2002-10 AIX 5.3 TL10 , AIX 6.1 TL3 Target, Initiator Windows 2003-06 2000, XP Pro, 2003, Vista, 2008, 2008 R2, 7 Initiator, Target†, Multipath NetWare 2003-08 NetWare 5.1, 6.5, & OES Initiator, Target HP-UX 2003-10 HP 11i v1, HP 11i v2, HP 11i v3 Initiator Solaris 2005-02 Solaris 10, OpenSolaris Initiator, Target, Multipath, iSER Linux 2005-06 2.6.12 Initiator, Target, Multipath, iSER NetBSD 2006-02 4.0, 5.0 Initiator (5.0), Target (4.0) FreeBSD 2008-02 7.0 Initiator, Target from NetBSD OpenVMS 2008-02 8.3-1H1 Initiator, Multipath Mac OS X 2008-07 10.4 - 10.6 Initiator [3]
†Target available only as part of Windows Unified Data Storage Server (WUDSS)
TargetsMost iSCSI targets involve disk, though iSCSI tape and medium-changer targets are popular as well. So far, physical devices have not featured native iSCSI interfaces on a component level. Instead, devices with Parallel SCSI or Fibre Channel interfaces are bridged by using iSCSI target software, external bridges, or controllers internal to the device enclosure.
Alternatively, it is possible to virtualize disk and tape targets. Rather than representing an actual physical device, an emulated virtual device is presented. The underlying implementation can deviate drastically from the presented target as is done with virtual tape library (VTL) products. VTLs use disk storage for storing data written to virtual tapes. As with actual physical devices, virtual targets are presented by using iSCSI target software, external bridges, or controllers internal to the device enclosure.
In the security products industry, some manufacturers use an iSCSI RAID as a target, with the initiator being either an IP-enabled encoder or camera.
Converters and bridgesMultiple systems exist that allow Fibre Channel, SCSI and SAS devices to be attached to an IP network for use via iSCSI. They can be used to allow migration from older storage technologies, access to SANs from remote servers and the linking of SANs over IP networks. An iSCSI gateway bridges IP servers to Fibre Channel SANs. The TCP connection is terminated at the gateway, which is implemented on a Fibre Channel switch or as a standalone appliance.
See alsoATA-over-Ethernet (AoE) Fibre Channel over Ethernet (FCoE) Fibre Channel over IP (FCIP) Unified Storage - The Picquelle Report (NAS, SAN and HA) HyperSCSI SCSI over Ethernet frames instead of IP (as iSCSI is) ISCSI Extensions for RDMA (iSER) Internet Fibre Channel Protocol (iFCP) Internet Storage Name Service (iSNS) Service Location Protocol Comparison of iSCSI targets References^ Architecture and Dependability of Large-Scale Internet Services David Oppenheimer and David A. Patterson, Berkley, IEEE Internet Computing, September–October 2002. ^ Satran, Julian; Kalman, Meth; Sapuntzakis, Costa; Zeidner, Efri; Chadalapaka, Mallikarjun (2004-04-02). "RFC 3720". http://tools.ietf.org/html/rfc3720#section-8.2.1. [edit] External linksMicrosoft portal on iSCSI Technology Microsoft iSCSI Documentation for Windows 7 and Windows Server 2008 R2 RFCsRFC 3720 - Internet Small Computer Systems Interface (iSCSI) RFC 3721 - Internet Small Computer Systems Interface (iSCSI) Naming and Discovery RFC 3722 - String Profile for Internet Small Computer Systems Interface (iSCSI) Names RFC 3723 - Securing Block Storage Protocols over IP RFC 3347 - Small Computer Systems Interface protocol over the Internet (iSCSI) Requirements and Design Considerations RFC 3783 - Small Computer Systems Interface (SCSI) Command Ordering Considerations with iSCSI RFC 3980 - T11 Network Address Authority (NAA) Naming Format for iSCSI Node Names RFC 4018 - Finding Internet Small Computer Systems Interface (iSCSI) Targets and Name Servers by Using Service Location Protocol version 2 (SLPv2) RFC 4173 - Bootstrapping Clients using the Internet Small Computer System Interface (iSCSI) Protocol RFC 4544 - Definitions of Managed Objects for Internet Small Computer System Interface (iSCSI) RFC 4850 - Declarative Public Extension Key for Internet Small Computer Systems Interface (iSCSI) Node Architecture RFC 4939 - Definitions of Managed Objects for iSNS (Internet Storage Name Service) RFC 5048 - Internet Small Computer System Interface (iSCSI) Corrections and Clarifications RFC 5047 - DA: Datamover Architecture for the Internet Small Computer System Interface (iSCSI) RFC 5046 - Internet Small Computer System Interface (iSCSI) Extensions for Remote Direct Memory Access (RDMA) [hide]v • d • eComputer bus & interconnection standards (wired) Main articles Front-side bus · Back-side bus · Daisy chain · Control bus · Address bus · Bus contention · Electrical busList of bus bandwidths Computer bus standards (desktop) S-100 bus · MBus · SMBus · Q-Bus · ISA · Zorro II · Zorro III · CAMAC · FASTBUS · LPC · HP Precision Bus · EISA · VME · VXI · NuBus · TURBOchannel · MCA · SBus · VLB · PCI · PXI · HP GSC bus · CoreConnect · InfiniBand · UPA · PCI-X · AGP · PCI Express · Intel QuickPath Interconnect · HyperTransport · more... Computer bus standards (portable) PC Card · ExpressCard Storage bus standards ST-506 · ESDI · SMD · Parallel ATA · DMA · SSA · HIPPI · USB MSC · FireWire (1394) · Serial ATA · eSATA · SCSI · Parallel SCSI · Serial Attached SCSI · Fibre Channel · iSCSI Peripheral bus standards Multidrop bus · Apple Desktop Bus · HIL · MIDI · Multibus · RS-232 (serial port) · DMX512-A · EIA/RS-422 · IEEE-1284 (parallel port) · UNI/O · 1-Wire · I²C · SPI · EIA/RS-485 · Parallel SCSI · USB · FireWire (1394) · Fibre Channel · Camera Link · External PCI Express x16 · Light Peak Vehicle buses LIN · J1708 · J1587 · FMS · J1939 · CAN · VAN · FlexRay · MOST Note: interfaces are listed in speed ascending order (roughly), the interface at the end of each section should be the fastest

No comments:

Post a Comment