2007 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 5054 !SA All ri"#ts reser$e%. &#is 'ro%uct or %ocument is 'rotecte% (y co'yri"#t an% %istri(ute% un%er licenses restrictin" its use, co'yin", %istri(ution, an% %ecom'ilation. No 'art o) t#is 'ro%uct or %ocument may (e re'ro%uce% in any )orm (y any means wit#out 'rior written aut#ori*ation o) Sun an% its licensors, i) any. &#ir%+'arty so)tware, inclu%in" )ont tec#nolo"y, is co'yri"#te% an% license% )rom Sun su''liers. ,arts o) t#e 'ro%uct may (e %eri$e% )rom -erkeley -S. a''liances, license% )rom t#e !ni$ersity o) Cali)ornia. Sun, Sun Microsystems, Sun Stor/%"e, t#e Sun lo"o, an% Solaris are tra%emarks, re"istere% tra%emarks, or ser$ice marks o) Sun Microsystems, Inc. in t#e !.S. an% ot#er countries. !NI0 is a re"istere% tra%emark in t#e !nite% States an% ot#er countries, e1clusi$ely license% t#rou"# 023'en Com'any, 4t%. 5in%ows is a re"istere% tra%emark o) Microso)t Cor'oration in t#e !nite% States an% ot#er countries. All S,A6C tra%emarks are use% un%er license an% are tra%emarks or re"istere% tra%emarks o) S,A6C International, Inc. in t#e !.S. an% ot#er countries. ,ro%ucts (earin" S,A6C tra%emarks are (ase% u'on an arc#itecture %e$elo'e% (y Sun Microsystems, Inc. &#e 3,/N 4337 an% Sun8s 9ra'#ical !ser Inter)ace was %e$elo'e% (y Sun Microsystems, Inc. )or its users an% licensees. Sun acknowle%"es t#e 'ioneerin" e))orts o) 0ero1 in researc#in" an% %e$elo'in" t#e conce't o) $isual or "ra'#ical user inter)aces )or t#e com'uter in%ustry. Sun #ol%s a non+e1clusi$e license )rom 0ero1 to t#e 0ero1 9ra'#ical !ser Inter)ace, w#ic# license also co$ers Sun8s licensees w#o im'lement 3,/N 4337 9uise an% ot#erwise com'ly wit# Sun8s written license a"reements. 6/S&6IC&/. 6I9:&S; !se, %u'lication, or %isclosure (y t#e !.S. 9o$ernment is su(<ect to restrictions o) =A6 52.227+14>"?>2?>@2A7? an% =A6 52.227+ 1 A7?, or .=A6 252.227+7015>(?>@2 5? an% .=A6 227.7202+B>a?. .3C!M/N&A&I3N IS ,63CI./. DAS ISE AN. A44 /0,6/SS 36 IM,4I/. C3N.I&I3NS, 6/,6/S/N&A&I3NS AN. 5A66AN&I/S, INC4!.IN9 ANF IM,4I/. 5A66AN&F 3= M/6C:AN&A-I4I&F, =I&N/SS =36 A ,A6&IC!4A6 ,!6,3S/ 36 N3N+ IN=6IN9/M/N&, A6/ .ISC4AIM/., /0C/,& &3 &:/ /0&/N& &:A& S!C: .ISC4AIM/6S A6/ :/4. &3 -/ 4/9A44F INCA4I..
Table of Contents
Introduction: W ! "uild Stora#e Area Net$or%s&''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''( Terminolo#!'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''2 iSCSI Fundamentals'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''') Internet Stora#e Name Ser*ice''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''+ ,UN -as%in#''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''. IP SAN Securit!'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''7 iSCSI /ost "us Adapters''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''0 "ootin# 1*er iSCSI''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''2 iSCSI Tar#ets and iSCSI 3outers''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''(0 45tendin# IP SANs 1*er Wide Area Net$or%s'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''(( Positionin# IP SANs $it NAS and Fibre C annel SANs''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''(2 -a%in# a C oice bet$een an IP SAN or a Fibre C annel SAN''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''() 3eferences'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''(+
2 &erminolo"y
Terminolo#!
iSCSI
iSCSI >Internet Small Com'uter System Inter)ace? is a %ata trans'ort 'rotocol use% to carry (lock+le$el %ata o$er I, networks.
IP SAN
An I, SAN is a Stora"e Area Network t#at uses t#e iSCSI 'rotocol to trans)er (lock+le$el %ata o$er a network, "enerally /t#ernet.
Initiator
In t#is %ocument t#e term JinitiatorJ is use% interc#an"ea(ly to re)er to a ser$er, #ost or %e$ice %ri$er t#at initiates >i.e. (e"ins? iSCSI comman% seHuences.
Tar#et
iSCSI tar"ets (reak %own iSCSI comman% seHuences )rom initiators an% 'rocess t#e SCSI comman%s. /1am'les o) iSCSI tar"ets are a %isk or ta'e %e$ice wit# an iSCSI 'ort an% a NAS a''liance wit# iSCSI tar"et su''ort.
B iSCSI =un%amentals
iSCSI Fundamentals
iSCSI 4nablin# /osts
So)tware (ase% iSCSI initiators are a$aila(le )or most o'eratin" systems inclu%in"; t#e Solaris&M 3SI Microso)t 5in%owsI AI0, :,+!0I an% 4inu1. &#ese work wit# stan%ar% NICs. iSCSI :ost -us A%a'ters >:-As? are a$aila(le to 'ro$i%e iSCSI su''ort )or some o'eratin" systems >or $ersions o) o'eratin" systems? t#at %o not #a$e so)tware initiators a$aila(le. See re)erence >$? )or a list o) Solaris 6ea%y iSCSI :-As.
iSCSI ,o# In
An iSCSI lo" in is t#e 'rocess o) esta(lis#in" an iSCSI session.
4 iSCSI =un%amentals
iSCSI 6isco*er!
iSCSI .isco$ery is t#e 'rocess (y w#ic# an iSCSI initiator can learn w#ic# tar"et iSCSI no%e names are a$aila(le to it. &#ere are a num(er o) %i))erent met#o%s o) %isco$ery; Static Confi#uration &#e initiator is tol% t#e com'lete tar"et name inclu%in" 'ortal a%%resses, etc. &#is in)ormation is con)i"ure% manually. Send7Tar#ets &#e initiator is tol% to Huery a %isco$ery I, a%%ress. &#e initiator communicates wit# t#e %isco$ery a%%ress to recei$e all t#e con)i"uration %ata a$aila(le to t#is initiator )or t#at tar"et, e.". all o) t#e $olumes it #as access to. &#is nee%s to (e re'eate% )or eac# tar"et. Internet Stora#e Name Ser*ice =or small I, SANs t#e met#o%s %escri(e% a(o$e will su))ice. =or lar"er I, SANs t#e Internet Stora"e namin" Ser$ice >iSNS? remo$es t#e nee% to manually enter %isco$ery in)ormation on eac# initiator (y 'ro$i%in" centrali*e% namin" ser$ices, iSNS is a lar"e to'ic an% is co$ere% in a later section.
@ 4!N Maskin"
,UN -as%in#
I) a tar"et is an array or NAS a''liance wit# iSCSI su''ort, many #osts may (e initiatin" a"ainst it. A met#o% o) controllin" access to t#e tar"et8s $olumes is necessary, ot#erwise multi'le #osts can %isco$er an% try to use t#e same $olume an%, wit# t#e e1ce'tion o) certain a''lications w#ic# su''ort or reHuire s#are% stora"e, %ata corru'tion woul% almost certainly result. &o ac#ie$e t#is, t#e A%ministrator maintains Access Control 4ists >AC4s? on t#e iSCSI tar"et w#ic# contain a list o) t#e initiator no%e names t#at are 'ermitte% to access eac# iSCSI $olume. Initiators cannot %isco$er $olumes t#at t#ey #a$e not (een "i$en access to. &#e $olume >also known commonly as a 4!N? is Jmaske%J; t#ey cannot see it.
7 I, SAN Security
IP SAN Securit!
8,ANs
Cirtual 4ocal Area Networks >C4ANs? are t#e most common met#o% o) securin" I, SANs. C4ANs can (e use% to isolate iSCSI no%es )rom ot#er %e$ices on t#e network.
C/AP
&#e C#allen"e :an%s#ake Aut#entication ,rotocol >C:A,? is use% )or aut#entication (etween iSCSI tar"ets an% iSCSI initiators. C:A, can (e !ni%irectional or -i%irectional; usin" !ni%irectional C:A,, an iSCSI initiator aut#enticates itsel) wit# an iSCSI tar"et usin" a secret key >i.e. a 'asswor%? known as t#e C:A, secretI usin" -i%irectional C:A, t#e tar"et t#en also aut#enticates itsel) wit# t#e initiator usin" a secon% C:A, secret. A 6A.I!S ser$er can (e use to sim'li)y C:A, secret key mana"ement w#en usin" -i%irectional C:A, aut#entication >A 6A.I!S ser$er is a centrali*e% aut#entication ser$ice?. 5#ile you must still s'eci)y t#e initiatorLs C:A, secret, you are no lon"er reHuire% to s'eci)y eac# tar"etLs C:A, secret on eac# initiator.
IPsec
I, Security >I,sec? is a set o) 'rotocols %e$elo'e% (y t#e Internet /n"ineerin" &ask =orce >I/&=? to su''ort t#e secure e1c#an"e o) 'ackets at t#e I, layer. I,sec is %e'loye% wi%ely to im'lement Cirtual ,ri$ate Networks >C,Ns?. I,sec can o'erate in &rans'ort Mo%e or &unnel Mo%e; In &rans'ort Mo%e, 'rotection is 'ro$i%e% all t#e way )rom t#e source to t#e %estination. =or iSCSI t#is woul% reHuire t#at t#e initiator an% t#e tar"et su''ort I,sec. &unnel mo%e 'ro$i%es "ateway+to+"ateway transmission security. &#is reHuires no s'ecial su''ort in t#e iSCSI #ost %ri$er or tar"et. .ata in transmission remains un'rotecte% until it reac#es a network "ateway. 3nce at t#e "ateway, it is secure% wit# I,Sec until it reac#es t#e %estination "ateway. At t#is 'oint, %ata 'ackets are %ecry'te% an% $eri)ie%. &#e %ata is t#en sent to t#e recei$in" #ost un'rotecte%. &unnel mo%e is o)ten em'loye% w#en %ata must lea$e t#e secure con)ines o) a local 4AN or 5AN an% tra$el (etween #osts o$er a 'u(lic network suc# as t#e Internet.
Performance
"and$idt Most =i(re C#annel SANs in 'ro%uction to%ay are (uilt on 2 9(it =i(re C#annel. 4 9(it =i(re C#annel %e$ices are now a$aila(le, an% A 9(it is 'lanne%. Most or"ani*ations run a com(ination o) 100 M(it an% 1 9(it /t#ernet networks. 10 9(it /t#ernet is a$aila(le (ut is not wi%ely im'lemente%. 5#ere 10 9(it /t#ernet is installe% it ten%s to (e use% as a .ata Center (ack(one, not )or connections to in%i$i%ual #osts an% es'ecially not )or connections to low cost ser$ers; it is )air to assume t#at most I, SANs to%ay will run o$er 100 M(it an% 1 9(it networks. ,atenc! -an%wi%t# is not e$eryt#in"I I23 latency is $ery im'ortant )or some a''lications. .ata(ase lo" )iles are $ery latency sensiti$e )or e1am'le. In (ot# =i(re C#annel SANs an% I, SANs, t#e locality o) tar"ets an% initiators an% t#e loa%in" o) t#e network contri(ute to I23 latency. A )actor in t#e )a$or o) =i(re C#annel SANs is t#at t#ey are %e%icate% to (lock I23, an or"ani*ation8s /t#ernet network will not (e. .e'loyin" a latency sensiti$e an%2or I23 intensi$e a''lication usin" iSCSI o$er an e1istin" network may result in 'er)ormance 'ro(lems. .irect connection o) t#e #osts to t#e iSCSI tar"et or %e%icate% /t#ernet switc#es or /t#ernet se"ments )or t#e I, SAN is an o'tion in t#ese cases.
IP SAN C ec%list
&#e (elow list o) Huestions may (e use)ul w#en consi%erin" an I, SAN;
.oes my iSCSI tar"et su''ort t#e initiators I wis# to connect to itG .oes my a''lication $en%or su''ort t#e c#osen #ar%ware an% so)tware com(ination t#at make u' my 'ro'ose% I, SANG I, SANs can (e %e'loye% o$er e1istin" in)rastructures (ut I23 intensi$e a''lications will "enerate si"ni)icant amounts o) network tra))ic. Is t#ere ca'acity )or t#is in t#e e1istin" networkG .o I nee% a %e%icate% switc#G Network latency is an issue )or some a''lications. Is my a''lication $en%or #a''y wit# my network latenciesG .o I nee% a %e%icate% switc#G 5#at solutions are a$aila(le )or #ost to tar"et iSCSI multi'at#in"G .o I nee% to consi%er iSCSI :-AsG Can I manually mana"e t#e relations#i's (etween my tar"ets an% initiators or %o I nee% an iSNS ser$erG I) I want to (uil% a :A Cluster; is Clusterin" wit# iSCSI attac#e% stora"e su''orte% )or my a''licationG Are t#ere any (enc#mark results, re)erence arc#itectures or cases stu%ies t#at I s#oul% look atG
15 6e)erences
3eferences
i. Sun -lue,rints .ocument; !sin" iSCSI Multi'at#in" in t#e Solaris&M 10 3'eratin" System #tt';22www.sun.com2(lue'rints212052A1 +B7B0.'%) ii. SAN =un%amentals; :ow =i(re C#annel SANs Are -uilt, Secure% an% Mana"e% >on -i"A%min?; #tt';22www.sun.com2(i"a%min iii. Internet Stora"e Name Ser$ice >iSNS? + A &ec#nical 3$er$iew #tt';22www.%isk%ri$e.com2iSCSI2rea%in"+room2w#ite+ 'a'ers2Nis#anMiSNSMAM&ec#nicalM3$er$iew.'%) i$. Microso)t Announces A$aila(ility o) 5in%ows Stora"e Ser$er 200B 62 5it# 3/M ,artners #tt';22www.microso)t.com2'ress'ass2'ress2200@2a'r0@204+04SN5,6.ms'1 $. Solaris 6ea%y iSCSI :-As #tt';22www.sun.com2ioMtec#nolo"ies2in%e1.#tml =or more in)ormation, 'lease see t#e Stora"e A%ministration Site on -i"A%min; #tt';22www.sun.com2(i"a%min2#u(s2stora"e2