HufferdJohn IP Storage Protocols ISCSI

IP Storage Protocols: iSCSI
John L Hufferd, Consultant

Hufferd Enterprises
SNIA Legal Notice
The material contained in this tutorial is copyrighted by the SNIA.
Member companies and individual members may use this material in
presentations and literature under the following conditions:
Any slide or slides used must be reproduced in their entirety without
modification
The SNIA must be acknowledged as the source of any material used in the
body of any document containing material from these presentations.
This presentation is a project of the SNIA Education Committee.
Neither the author nor the presenter is an attorney and nothing in this
presentation is intended to be, or should be construed as legal advice or an
opinion of counsel. If you need legal advice or a legal opinion please
contact your attorney.
The information presented herein represents the author's personal opinion
and current understanding of the relevant issues involved. The author, the
presenter, and the SNIA do not assume any responsibility or liability for
damages arising out of any reliance on or use of this information.
NO WARRANTIES, EXPRESS OR IMPLIED. USE AT YOUR OWN RISK.
© 2011 Storage Networking Industry Association. All Rights Reserved.
2
Abstract
This session will explain the various parts of iSCSI
Network encapsulations of iSCSI PDUs
Session Relationship to SCSI and TCP/IP Connections
iSCSI flow from Initiator to Target
Error Recovery, Discovery and Security
It will also explain Companion Processes
Boot
SLP
iSNS
And the session will describe iSCSI Environments
From the small office, to the High End Enterprise
This session is appropriate for end user and developers of
iSCSI technologies

3
Terms
iSCSI - Internet SCSI
NAS - Network Attached Storage
Supports CIFS (Common Internet File System) protocols
Supports NFS (Network File System) protocols
FAN – File Area Networks
Utilize IP Networks and NAS protocols
HBA - Host Bus Adapter
TOE - TCP/IP Offload Engine
FC - Fibre Channel
SAN - Storage Area Network
Supports Block Storage Protocols (FC and iSCSI)
iSAN – A Storage Area Network made up of iSCSI connections
PDU - Protocol Data Unit
4
Agenda
Introduction
iSCSI Features
Error handling, Boot, Discovery
iSCSI usage models
iSCSI Security
Q&A

5
Agenda
Introduction
iSCSI Features
Error Handling, Boot, Discovery
iSCSI usage models
iSCSI Security
Q&A

6
Small Computer System Interconnect
(SCSI)
Legacy Printers
Scanners
SCSI BUS
(Almost completely replaced by
Serial-SCSI for single system
storage connections)
Tapes
ATA/SATA
There are 2 main hard drive interface classes
Disk available today:
Desktop / Server •ATA (used mostly in desktop and
laptop systems)
Computer •Includes SATA which is
becoming a larger presence in
SCSI Disks server class systems/arrays
•SCSI (used in server-class systems)
• includes PSCSI, FC & SAS
Note: ATA and SCSI drives with Serial attachments are called SATA and SAS

7
Systems with SCSI over Networks
Application Application Application
File System File System File System
Fibre Channel
or Storage Area Network (SAN)
iSCSI With Block I/O
Both Fibre Channel and iSCSI can makeup a SAN

Replaces shared bus with switched fabric
8
iSCSI is:
Internet SCSI: internet Small Computer System Interconnect
iSCSI is a SCSI transport protocol for mapping of block-oriented storage

data over TCP/IP networks
The iSCSI protocol enables universal access to storage devices and Storage
Area Networks (SANs) over standard TCP/IP networks
On Ethernet LANs: Copper & Optical
On ATM WANs
On SONET WANs
Wireless
Etc.

9
Data Encapsulation Into Network
Packets
Ethernet TCP SCSI Optional DATA

IP iSCSI FCS
Header Cmds (CRC)
iSCSI Protocol Data Unit (PDU): Provides ordering and

control information. Contains iSCSI control info, with
optional SCSI Commands &/or Data
Provides Reliable data transport and delivery (TCP Windows,

ACKs, ordering, etc.) Also demux within node (port numbers)
Provides IP “routing” capability so that packet can

find its way through the network
Provides physical network capability (Cat 5, MAC, etc.)

10
iSCSI Mapping
iSCSI PDU
iSCSI Control Header
Optional Data
(with optional SCSI Command)
Optional Header CRC Optional Data CRC
iSCSI PDU iSCSI PDU iSCSI PDU iSCSI PDU
Header Header with Header with

Header Data Data
& SCSI Command SCSI Cmd Only Control Info
IP packet IP packet IP packet IP packet IP packet IP packet IP packet IP packet
iSCSI PDU alignment

with packets varies
11
iSCSI - Layered Model
Application
Layer I/O
Application Logical Unit
Request
SCSI Interface
SCSI Class Driver SCSI Device

SCSI Application
SCSI Layer
SCSI CDB
(SCSI Initiator) Protocol (SCSI Target)
Interface
iSCSI
Protocol iSCSI Protocol iSCSI Protocol iSCSI PDU
Services Services
Layer
iSCSI Transport
Interface TCP
TCP/IP TCP/IP segments
TCP/IP TCP/IP Protocol TCP/IP
TCP/IP TCP/IP TCP/IP in IP
Datagrams
iSCSI session
Data link + Data link + Ethernet

Ethernet Physical Physical Frame
Ethernet
Transparently encapsulates SCSI Command Descriptor Blocks (CDBs)

12
Application to LU Command Flow
Application
iSCSI Chip/HBA Device Driver

File System SCSI Layer
SCSI HBA Device Driver

Target Function
(CDB
Disk orTape Driver Passthrough)
(SCSI Class Driver) HBA
iSCSI Device Driver HBA

HBA
LU#1 LU#2 LU#3
(LU = Logical Unit)

13
Multiple Connections Between Hosts
and Storage Controllers
Application
Application
File System
File System
Disk or Tape Driver

(SCSI Class Driver)
Disk or Tape Driver
(SCSI Class Driver) WedgeDriver
iSCSI Device iSCSI Device

Driver Driver
iSCSI Device Driver
one Session two Sessions

15
iSCSI Integrity
iSCSI adds Cyclic Redundancy Check (CRC)

CRC-32C - A 32 bit check word algorithm
End to End Checking
In addition to TCP/IP Checksums
In addition to Ethernet Link layer Frame Check Sequence (FCS)
iSCSI’s CRC “check word” is called a “Digest”
iSCSI can have Digests for iSCSI Headers and Data

Header Digest is optional to use (MUST implement)
Insures correct operation and data placement
Data Digest is optional to use (MUST implement)
Insures data is unmodified through-out network path
16
iSCSI Message Types
Called Protocol Data Units (PDUs)
Initiator to Target Target to Initiator

NOP-out NOP-in
SCSI Command SCSI Response
Encapsulates a SCSI CDB Can contain status
SCSI Task Mgmt Cmd SCSI Task Mgmt Rsp
Login Command Login Response
Text Command Text Response
Including SendTargets
– Used in iSCSI Discovery
SCSI data-out SCSI data-in
Output Data for Writes Input Data from Reads
Logout Command Logout Response
Ready to transfer
R2T
Async Event
17
Agenda
Introduction
iSCSI Features
Error Handling, Boot, Discovery
iSCSI usage models
iSCSI Security
Q&A

18
iSCSI Error Handling
ErrorRecoveryLevel = 0
When iSCSI detects errors it will bring down the Session (all
TCP connections within the Session) and restart it
iSCSI will let the SCSI layer retry the operation
Detected errors (Header or Data) causes PDUs to be
discarded
iSCSI will retransmit discarded commands
iSCSI will retransmit discarded data
Caused by loss of the TCP/IP connection
Connection & Allegiance reestablishment
Uses ErrorRecoveryLevel 1 to recover lost PDUs
19
Discovery via SendTargets
iSCSI Targets iSCSI Targets

iSCSI Targets 10.1.40.27:3260
10.1.40.27:3260
10.1.40.27:3260 10.1.40.28:3260
10.1.40.28:3260 Set
10.1.40.28:3260
Discovery
Target
Addrs
SendTargets SendTargets
SendTargets
iSAN
Set IP Addrs
10.1.40.27:3260 10.1.40.28:3260 and
Sessions between ACLs
Initators and Targets

20
Discovery via SLP
Get Addr of SLP

DA from DHCP
Get Addrs of
Multicast to find SLP DA & DHCP Storage Cntrls from
SLP Directory Get Addr of Storage Cntrls SLP DA
Agent (DA) via Unicast
SA gets DA Addr
from DHCP then
Advertises its
existence to DA
SA Advertises its
existence to DA via
Multicast
Note: Service Agent
(SA) exist within
Target Storage Ctlrs
Sessions between
Initiators and Targets Set Addr of Storage Cntlrs + 10.1.40.28:3260
10.1.40.27:3260 ACLs, and place Addr of
SLP DA into DHCP

21
Discovery via iSNS
Gets location of iSNS from Gets location of iSNS from

DHCP & Get Addr of Storage DHCP & Get Addr of Storage
Cntrls from iSNS Cntrls from iSNS
DHCP
iSNS Server
Str Ctlr gets iSNS

Str Ctlr gets iSNS Svr Addr from
Svr Addr from DHCP then sends
DHCP then sends its profile to iSNS
its profile to iSNS
Set Addr of Storage Cntlrs + 10.1.40.28:3260

10.1.40.27:3260 ACLs and place Addr of
iSNS into DHCP
Sessions between Initiators and Targets

22
iSCSI Redirection
After attempting to Login at specified location:

The specified Target may signal a redirection
Temporary redirection
Permanent redirection
Redirection used for:
Corrections between Discovery DB updates
Admin or automatic Hardware disablement
for Service
Because of HW problems
For load balancing

23
iSCSI Boot
Static configuration information for Boot

Admin sets authorized iSCSI Target Node Name and iSCSI Address,
Optional LUN
Default LUN is 0
Dynamic configuration via use of DHCP, SLP, iSNS
DHCP can be used by Host to get an IP address
DHCP can hold the iSCSI Boot Service Option (Admin Set)
May contain all that is needed to reach the Boot device
May only contain iSCSI Target Node Name, then use SLP/iSNS to resolve to iSCSI
address
SLP, or iSNS can also be used to find the Boot location
The Boot load process
The Admin. or DHCP, SLP or iSNS can enable the access
BootP/PXE is also possible as part of a SW two phase process
HW HBA can act as a normal SCSI HBA for system BIOS use

24
Agenda
Introduction
iSCSI Features
Boot, Discovery, Error Handling
iSCSI usage models
IP Security
Q&A

25
Now let’s look at the various
environments where iSCSI is appropriate

26
Small Office Interconnect
Ethernet
Switch
Print
Server
NAS
Office iSCSI
Server

27
IP Storage Combo -- NAS & iSCSI
Ethernet
Switch
Print
Server
NAS iSCSI
Office
Server
Dual Dialect
Block and File I/O
28
Midrange Environment
Desktops and Laptops

iSCSI
Servers
HBA & TOE
Dhip
iSCSI
HBA
iSCSI
HBA & TOE
Dhip
& TOE
Chip
Ethernet Switch HBA iSCSI
& TOE
Dhip
HBA iSCSI
& TOE
Dhip
Cat.5 Ethernet Cables Ethernet Switch
iSCSI
iSCSI
NAS iSCSI iSCSI iSCSI
& TOE
iSCSI Dhip
& TOE
Chip
iSCSI to FC
iSCSI
HBA & TOE
Dhip
Bridge
FC
iSCSI
Dual Dialect
FC Disk Storage
29
Combining of FC and iSCSI
Management
FC-iSCSI Router Platforms
registers FC devices can view and manage
WWN and iSCSI Name both iSCSI and
alias. Both iSCSI and
iSNS
Management FC devices by
FC identities are Platform
stored in the iSNS
Server interacting with iSNS
iSCSI server
iSCSI Tape server
Library 1 iSCSI
iSCSI Tape Initiator 2
Library 2 Initiator 1
IP Network
FC-iSCSI FC-iSCSI Other FC fabrics

Gateway can be joined over
Gateway common IP
FC Fabric FC JBOD: WWN=X,
FC Fabric network.
iSCSI Name = a‘ bc’ Other gateways
FC JBOD: FC Server: WWN=Y, can discover open
WWN = X FC Server: FC JBOD: mapping by
iSCSI Name = x‘ yz’
WWN = Y WWN = X FC Server: querying iSNS
WWN = Z

30
High-End Environment

31
Campus Network

32
Satellite and Central System/Storage

33
At-Distance
* Special Tuning/Equipment usually required for large distances

34
Web Server Installation
Internet Links
Ethernet Links
NAS iSCSI
HBA
HBA iSCSI
iSCSI
& TOE
Chip
& TOE
Chip
Ethernet
Switch
Web Server Systems iSCSI

SAN Dual
Dialect
iSCSI
&
TOE
Chip
iSCSI
& TOE
iSCSI to/from Chip
FC Routing
Switches
FC
SAN iSCSI
iSCSI SATA
Disk and Tape FC Storage Controllers

35
Peaceful Co-existence
iSAN & NAS
Note: File Area Network (FAN)
utilizes IP Networks and NAS
protocols
NAS iSCSI-Gateway
Supports both iSCSI and NAS

(a Dual Dialect combination)
iSCSI RAID Ctlrs

36
Agenda
Introduction
iSCSI Features
Boot, Discovery, Error Handling
iSCSI usage models
iSCSI Security
Q&A

37
Security Properties
Connection Authentication: Who are you? Prove it!

Mutual Authentication: Initiator to Target AND vice-versa
Packet Integrity: Has this data been tampered with?
Cryptographic Packet by Packet authentication & integrity check, not
just checksum or CRC
Anti-Replay to prevent regeneration attack
Privacy: Encryption of the Data
Authorization: What are you allowed to do?
iSCSI: Who can connect to which Target
LUN masking & mapping handled by SCSI, not iSCSI
iSCSI Security Features: Must be implemented but are
Optional to use
Subject to negotiation
38
iSCSI Security Considerations
 Connection Authentication is iSCSI way to

determine trustworthiness via
CHAP -- Challenge Handshake Authentication Protocol with strong secrets is
required
Can’t use passwords
Stronger than basic CHAP when specification is followed
SRP -- Secure Remote Password
Kerberos -- A Third Party Authentication protocol
SPKM-1,SPKM-2 -- Simple Public Key Mechanism
 Connection Security may be used with or without

IPsec’s Packet Security:
Packet Authentication
Origin assurance
Anti-Reply protection
Privacy
Encryption
39
Conclusions
iSCSI is the Network Storage Alternative
The performance on 1Gb Ethernet networks is

“Good Enough” for many applications
Host systems can use the cost effective software iSCSI
Initiators to great effect at 1Gb
Host system can use the low overhead of HW iSCSI
HBA for Initiators to great effect at 10Gb
With link aggregation and Ethernet networks moving
to 10Gb, most storage networking needs can be
handled by iSCSI
iSCSI is not just a Low-End protocol but will also
apply to the High End environments.
41
iSCSI References
Both Books
Published by Addison-Wesley
Available in Book Stores
and Amazon.com
Volume purchases available
The detail specification can be found at

http://www.ietf.org/rfc/rfc3720.txt?number=3720
42
Q&A / Feedback
Please send any questions or comments on this

presentation to SNIA: tracknetworking@snia.org
Many thanks to the following Group and

individuals
for their contributions to this tutorial.
SNIA Education Committee
Members of the SNIA IP Storage Forum

David Black
David Dale
John Hufferd
Peter Hunt
Howard Goldstein
Gary Orenstein
Ahmad Zamer

43
Appendix

44
CHAP Authentication Protocol
Based on shared secret, random challenge

Uses a secure (one-way) hash, usually MD5
One-way hash: Computationally infeasible to invert
Secret
Challenge Secret
Hash
Hash
Response
=? Can be
outsourced to
RADIUS server
Host Storage
45
iSCSI with IPsec
Initiator Opens Socket

connection to Target
IKE (Internet Key Exchange) is performed to Pre-shared Key (or Certificate)

authenticate & obtain encryption key for IPSec
Create encryption key
Target Port is Message

engaged
Message is sent on
Open Socket
Create encryption key
Message
Message is delivered to Target's Listening Port

46
Spreading v. Centralizing the File
System Overhead
Block I/O (including iSCSI) spread the File NAS Clients move the File System
System overhead across all the Clients overhead to the NAS server
NAS Servers centralizes the File

Block I/O (including iSCSI) Storage
System functions (and overhead) for
Controllers just store the I/O blocks
all its clients into the NAS Server
where the Client File System requests
Plus the NAS Server still must map
(perhaps with Virtualizing LUN Mapping)
the resultant Blocks onto the Storage
(perhaps with Virtualizing LUN
Mapping)
The non TCP/IP Server side overhead can be many times higher in
NAS Servers than Block I/O (iSCSI) Storage Controllers
Therefore, as a rule of thumb: use NAS for File Sharing and iSCSI for Block IP Storage

47

HufferdJohn IP Storage Protocols ISCSI

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HufferdJohn IP Storage Protocols ISCSI

Uploaded by

Copyright:

Available Formats

IP Storage Protocols: iSCSI

John L Hufferd, Consultant

IP Storage Protocols: iSCSI

IP Storage Protocols: iSCSI

IP Storage Protocols: iSCSI

IP Storage Protocols: iSCSI

Application Application Application

File System File System File System

Both Fibre Channel and iSCSI can makeup a SAN

Internet SCSI: internet Small Computer System Interconnect

iSCSI is a SCSI transport protocol for mapping of block-oriented storage

IP Storage Protocols: iSCSI

Ethernet TCP SCSI Optional DATA

iSCSI Protocol Data Unit (PDU): Provides ordering and

Provides Reliable data transport and delivery (TCP Windows,

Provides IP “routing” capability so that packet can

IP Storage Protocols: iSCSI

iSCSI PDU iSCSI PDU iSCSI PDU iSCSI PDU

Header Header with Header with

IP packet IP packet IP packet IP packet IP packet IP packet IP packet IP packet

iSCSI PDU alignment

SCSI Class Driver SCSI Device

Data link + Data link + Ethernet

Transparently encapsulates SCSI Command Descriptor Blocks (CDBs)

iSCSI Chip/HBA Device Driver

SCSI HBA Device Driver

iSCSI Device Driver HBA

LU#1 LU#2 LU#3

(LU = Logical Unit)

Disk or Tape Driver

iSCSI Device iSCSI Device

one Session two Sessions

IP Storage Protocols: iSCSI

iSCSI adds Cyclic Redundancy Check (CRC)

iSCSI’s CRC “check word” is called a “Digest”

iSCSI can have Digests for iSCSI Headers and Data

Initiator to Target Target to Initiator

IP Storage Protocols: iSCSI

iSCSI Targets iSCSI Targets

IP Storage Protocols: iSCSI

Get Addr of SLP

IP Storage Protocols: iSCSI

Gets location of iSNS from Gets location of iSNS from

Str Ctlr gets iSNS

Set Addr of Storage Cntlrs + 10.1.40.28:3260

Sessions between Initiators and Targets

IP Storage Protocols: iSCSI

After attempting to Login at specified location:

IP Storage Protocols: iSCSI

Static configuration information for Boot

IP Storage Protocols: iSCSI

IP Storage Protocols: iSCSI

IP Storage Protocols: iSCSI

IP Storage Protocols: iSCSI

Desktops and Laptops

Cat.5 Ethernet Cables Ethernet Switch

FC-iSCSI FC-iSCSI Other FC fabrics

IP Storage Protocols: iSCSI

IP Storage Protocols: iSCSI

IP Storage Protocols: iSCSI

IP Storage Protocols: iSCSI

* Special Tuning/Equipment usually required for large distances

Web Server Systems iSCSI

Disk and Tape FC Storage Controllers