You are on page 1of 5

1

Securing iSCSI Storage Solution Using Hashed Pair Mechanism

Author - Madhukar Gunjan C, LSI Technologies India Pvt Ltd., INDIA

Abstract— iSCSI communication traffic is authenticated through the session establishment phase of the initiator and target. Both have to establish an iSCSI session before the data is accessible. During this login phase, both participating parties need to exchange information to authenticate each other, negotiate the session's parameters, and spot the connection as belonging to an

iSCSI session. But this authentication is still happening at the iSCSI layer and is still vulnerable to corruption. The proposed method will further secure the traffic by adding one more layer of security at the iSCSI layer and the IP layer. This will be achieved with the help of a Hash pair mechanism and a pre- shared password between the initiator and target which will generate a digital signature to be included in the iSCSI PDU or frame. Also at another level, the IP

layer,

further authenticate the IP

header with the help of a second hash pair mechanism which gives us the hashed IP header to prevent security threat.

we

I.INTRODUCTION OF STORAGE SOLUTION

security threat. we I. INTRODUCTION OF STORAGE SOLUTION Mapping SCSI to iSCSI- Transport Layer- 1. Multiplexing
security threat. we I. INTRODUCTION OF STORAGE SOLUTION Mapping SCSI to iSCSI- Transport Layer- 1. Multiplexing

Mapping SCSI to iSCSI-

I. INTRODUCTION OF STORAGE SOLUTION Mapping SCSI to iSCSI- Transport Layer- 1. Multiplexing , Fragmentation ,

Transport Layer-

1. Multiplexing , Fragmentation ,

2. Port link Establishment (Default

3260)

3. Flow control Using Sliding Window Protocol

4. Synchronize Out of order packet and discarded Packet.

Internet Protocol Layer-

1. Network layer to IP-Based SAN

2. Maintains IP address

3. IP Routers & Switches used to transfer iSCSI PDU.

Data Link Layer-

iSCSI- An Overview-

1.

Gigabit Ethernet (GbE)

 

iSCSI is a transport protocol for SCSI

iSCSI

Connection

and

Session

that operates on top of TCP through

establishment-

 

encapsulation of SCSI commands in a

iSCSI Connection:

TCP/IP stream. It enables the transport of I/O Block data over IP Networks.

1. Verify a TCP connection over which the initiator and target communicate via iSCSI PDUs.

2. Verify uniquely identified in a session by an initiator defined connection ID (CID).

2

3. Verify the response and any data associated with an iSCSI command must be returned on the same connection.

iSCSI Session:

1. Verify a set of iSCSI connections that link an iSCSI initiator and target.

2. Verify uniquely identified by a 64 bit Session ID (SID) built from a 48 bit initiator defined Initiator Session ID (ISID) and a 16 bit target defined Target Session Identifying Handle (TSIH).

3. Verify resources of a target (i.e., LUNs) must be identical across all connections that make up a session.

4. Verify commands can be alternated across all connections in a session for bandwidth aggregation.

5. Verify error recovery connections can be created on the same network portal as a failed connection.

Security at Risk- The existing solution takes care of Security Risk at the initial stage to protect initial login attack. Initial authentication mechanisms may include a SRP to validate the integrity of the sessions. So we are least bothered and taking care of active attacks on session authentication, and about active attacks on the TCP/IP sessions that result after the authentication (e.g., TCP/IP Snooping), Since there is no strong protection provided at iSCSI layer and IP layer protection available at this stage.

iSCSI layer and IP layer protection available at this stage. The diagram shows the various phases

The diagram shows the various phases of

iSCSI

the initial

login phase only. Also currently there is

authentication happening at the IP layer level.

no

authentication

layer authentication. The

is

done

at

Disadvantages-

In most cases, the data is more important than performance. After the Full featured Phase, the initiator sends SCSI frames and the data as payload within the iSCSI PDU. At this stage it is possible for a

snooper to attack over the IP network and perform the following harmful acts:

1. Hack the confidential data.

2. Inject

transmission. 3. Alter the packets containing data and SCSI command messages. 4. Access passwords from iSCSI login frame. 5. Reset the Connection and play havoc by attacking the security negotiation process

data

error

during

Details of Solution- In iSCSI, a SCSI command is encapsulated in TCP/IP packets and transferred between a server (initiator) and a storage device (target) via IP networks. Since standard SCSI commands are embedded in iSCSI, users can operate a remote storage device directly as if they were accessing to a local disk connected to the server. The frame structure is something like:-

to the server. The frame structure is something like:- To provide with a password at the

To

provide with a password at the

application level. This password is pre-

shared

target at the onset only. We would use this password later to generate a digital

signature at the iSCSI layer. Here we are

going

function which will use the pre-shared password and generate a digital signature which goes into the iSCSI frame. We will

Hash Value

the

to

start with

we require

the user

between the

initiator and

first

to

have

the

add this piece of information in addition

Header, the

command in the iSCSI frame. The hash value function will work in the following way:-

or

to

the iSCSI

SCSI data

H(input) =h

Where:-Input is the Pre-shared password which the user specifies,

H is the hash function which takes

a variable size input and returns a

fixed sized string which is called the hash value h, which in our case would be the digital signature. The function would also have an inverse which will return the input variable when passed the digital signature as an argument.

H’(h)=input

3

Let us look at this with the following

diagram-

3 Let us look at this with the following diagram- At this stage we secure the

At this stage we secure the iSCSi session

this

digital signature and the 1 st hash value

having a

reverse hash function at the other end

function

establishment with

the

help

be

of

[HVF1].

We

would

[target]

which

will,

from the digital

signature,

re-generate

the

pre-shared

password and authenticate the session. Once the passwords match we establish the connection.

Once the passwords match we establish the connection. Once then everything goes as before till we

Once

then everything goes as before till we come to the IP layer. At this stage we would have a second hash function [Hash

Value Function 2 or HVF2] which will take the initiator IP header and feed it into

the

header. Again at the target side we have

hashed IP

the iSCSI

session is established,

function to

generate

a

a reverse of the hash function which will re-generate the Original IP header from the initiator. Now from the original IP

header

and

destination IP’s and confirm them with an

this

address

layer. This table is updated with all the

we

extract

the

source

at

index

table present

IP’s

of

the

devices

that

are

participating and

are

active

in

the

network

devices in the network. The Address index

the

and

is

available

with

all

table

is

updated automatically as and

when

new

devices

join

or

leave the

network. The table will be something like this:-

Initiator/Host

Target/ISCSI Target Port IP

IP

172.28.10.11

10.10.11.12

172.28.11.10

10.10.11.13

Address Index Table

Once the source and destination IP’s are matched, we secure the connection and ensure that no spoofing is happening. This way we make sure that the source and destination IP’s re-generated from the hashed function are always valid IP’s and are tamper proof. Now this index table functionality is something new which would be present at the IP layer level of all devices. However we would want to have this table to be administratively monitored and edited if required.

The

concept from

perspective-

following

the

the initiator and target

diagrams

explain

The concept from perspective- following the the initiator and target diagrams explain From Initiator/Host to ISCSI

From Initiator/Host to ISCSI Target

4

4 From ISCSI Target to Initiator/Host The flow chart of the whole process would be as

From ISCSI Target to Initiator/Host

The flow chart of the whole process would be as per the following diagram:-

Ethernet Frame Received Yes
Ethernet
Frame
Received
Yes
Filter Hashed IP Header Yes
Filter
Hashed IP
Header
Yes

Reverse HVF 2+ Hashe d IP Header = Origi nal IP Header

Yes Is Src IP Addr in IP Header= initiator IP Addr of Index Table &&
Yes
Is Src IP Addr in IP Header=
initiator IP Addr of Index Table
&&
Is Dest IP Addr in IP Header=
Target IP Addr of Index Table
No
Discard The
Frame
Yes
Move frame
to TCP
Layer
Yes
Filter out
iSCSI PDU
Yes
Is Digital Sign included in the
No
Discard The
ISCSI PDU
+ HVF1 = Pre-
Shared User Password
Frame
Yes
Bona -fide SCSI
Frame. Access to
Storage or Target
Granted

Features:

1. The digital signature feature can also be used in case of IPV6. 2. The address index table can be administratively edited to allow or deny devices participating in the network.

pair functionality can be

implemented either on a dedicated piece of hardware i.e. offloading the CPU computation onto a HBA (Host Bus Adapter) or on Software initiators and targets i.e. virtual SCSI adapters.

3. Hash

Advantages:

1. Authentication and Confidentiality – Ensures that the identities of both the sender and the receiver of a communication are authentic

5

before information is exchanged and

keeps

important information

confidential, private and within

the

owning

organization.

2. Data Integrity – Ensures the data integrity during transmission. We can be now sure that data is not

control

of

the

stolen,

deleted

or

maliciously

altered.

Thus

this mechanism

prevents

storage

networks

from

being compromised. 3. Implementation

above

described mechanism only requires a small amount of code addition to the iSCSI driver and to the NIC/HBA

easy to

card driver and implement.

The

will be

Disadvantages-

1. Since we are not changing the frame size, some amount of payload data has to be compromised in order to accommodate the digital signature.

Usage-

1. This mechanism can be used with already existing infrastructure and would be helpful in securing iSCSI traffic. And the overall solution would greatly minimize unauthorized access to data and make the network more robust.

Terms Used- NIC – Network Interface Card HBA – Host Bus Adaptor PDU – Protocol Data Unit HVF – Hash Value Function

References

Author's Address- Madhukar Gunjan C LSI Technologies India Pvt Ltd. #4/1,Baneerghatta Road,

Bangalore-560076