IP Storage Protocols: iSCSI
John L. Hufferd, Brocade
Ahmad Zamer, Intel
�SNIA Legal Notice
The material contained in this tutorial is
copyrighted by the SNIA.
Member companies and individuals may use this
material in presentations and literature under the
following conditions:
Any slide or slides used must be reproduced without
modification
The SNIA must be acknowledged as source of any
material used in the body of any document containing
material from these presentations.
This presentation is a project of the SNIA
Education Committee.
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
�Abstract
IP Storage Protocols: iSCSI
This session will explain the various parts of iSCSI
Network encapsulations of iSCSI PDUs
Session Relationship to SCSI and TCP/IP Connections
iSCSI flow from Initiator to Target
Error Recovery, Discovery and Security
It will also explain Companion Processes
Boot
SLP
iSNS
And the session will describe iSCSI Environments
From the small office, to the High End Enterprise
This session is appropriate for end user and developers of
iSCSI technologies
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
�Terms
iSCSI - Internet SCSI
NAS - Network Attached Storage
Supports CIFS (Common Internet File System) protocols
Supports NFS (Network File System) protocols
FAN File Area Networks
Utilize IP Networks and NAS protocols
HBA - Host Bus Adapter
TOE - TCP/IP Offload Engine
FC - Fibre Channel
SAN - Storage Area Network
Supports Block Storage Protocols (FC and iSCSI)
iSAN A Storage Area Network made up of iSCSI connections
PDU - Protocol Data Unit
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
�Agenda
Introduction
iSCSI Features
Error handling, Boot, Discovery
iSCSI usage models
iSCSI Security
Q&A
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
�Agenda
Introduction
iSCSI Features
Error Handling, Boot, Discovery
iSCSI usage models
iSCSI Security
Q&A
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
�Small Computer System Interconnect
(SCSI)
Legacy
SCSI BUS
Scanners
Printers
(Being replaced by Serial-SCSI
for single system storage
connections)
Tapes
ATA Disk
Desktop / Server
Computer
SCSI Disks
There are 2 main hard drive interface
classes available today:
ATA (used mostly in desktop and
laptop systems)
Includes SATA which is
becoming a larger presence in
server class systems/arrays
SCSI (used in server-class systems)
includes PSCSI, FC & SAS
Note: ATA and SCSI drives with Serial attachments are called SATA and SAS
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
�Systems with SCSI over Networks
Application
Application
Application
File System
File System
File System
Fibre Channel
or
iSCSI
Storage Area Network (SAN)
With Block I/O
Both Fibre Channel and iSCSI can makeup a SAN
Replaces shared bus with switched fabric
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
�iSCSI is:
Internet SCSI: internet Small Computer System Interconnect
iSCSI is a SCSI transport protocol for mapping of block-oriented
storage data over TCP/IP networks
The iSCSI protocol enables universal access to storage devices and
Storage Area Networks (SANs) over standard TCP/IP networks
On Ethernet LANs: Copper & Optical
On ATM WANs
On SONET WANs
Wireless
Etc.
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
�Data Encapsulation Into Network
Packets
Ethernet
Header
IP TCP
iSCSI
SCSI
Cmds
Optional
DATA
CRC
iSCSI Protocol Data Unit (PDU): Provides ordering
and control information. Contains iSCSI control info,
with optional SCSI Commands &/or Data
Provides Reliable data transport and delivery (TCP
Windows, ACKs, ordering, etc.) Also demux within node
(port numbers)
Provides IP routing capability so that packet can
find its way through the network
Provides physical network capability (Cat 5, MAC, etc.)
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
10
�iSCSI Mapping
iSCSI PDU
iSCSI Control Header
Optional Data
(with optional SCSI Command)
Optional Data CRC
Optional Header CRC
iSCSI PDU
iSCSI PDU
Header
& SCSI Command
Header Data
iSCSI PDU
Header with
SCSI Cmd
iSCSI PDU
Data
Header with
Only Control Info
IP packet IP packet IP packet IP packet IP packet IP packet IP packet IP packet
iSCSI PDU alignment
with packets varies
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
11
�iSCSI - Layered Model
Application
Layer
Application
I/O
Request
Logical Unit
SCSI Interface
SCSI Class Driver
SCSI Layer
(SCSI Initiator)
SCSI Application
Protocol
SCSI Device
(SCSI Target)
SCSI CDB
Interface
iSCSI
Protocol
Layer
iSCSI Protocol
Services
iSCSI Protocol
Services
iSCSI Transport
Interface
TCP/IP
TCP/IP
TCP/IP
TCP/IP
TCP/IP Protocol
TCP/IP
TCP/IP
TCP/IP
iSCSI session
Ethernet
Data link +
Physical
Data link +
Physical
iSCSI PDU
TCP
segments
in IP
Datagrams
Ethernet
Frame
Ethernet
Transparently encapsulates SCSI Command Descriptor Blocks (CDBs)
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
12
�Application to LU Command Flow
Disk orTape Driver
(SCSI Class Driver)
HBA
iSCSI Device Driver
HBA
SCSI Layer
Target
Function
(CDB
Passthrough)
LU#1
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
SCSI HBA Device Driver
File System
iSCSI Chip/HBA Device Driver
Application
HBA
LU#2
LU#3
13
�Multiple Connections Between Hosts
and Storage Controllers
Application
Application
File System
File System
Disk or Tape Driver
(SCSI Class Driver)
Disk or Tape Driver
(SCSI Class Driver)
WedgeDriver
HBA
HBA
one Session
iSCSI Device
Driver
HBA
HBA
HBA
two Sessions
HBA
HBA
iSCSI Device Driver
HBA
iSCSI Device
Driver
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
15
�iSCSI Integrity
iSCSI adds Cyclic Redundancy Check (CRC)
CRC-32C - A 32 bit check word algorithm
End to End Checking
In addition to TCP/IP Checksums
In addition to Ethernet Link level CRCs
CRC check word is called a Digest
iSCSI Digests for iSCSI Headers and Data
Header Digest is optional to use (MUST implement)
Insures correct operation and data placement
Data Digest is optional to use (MUST implement)
Insures data is unmodified through-out network path
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
16
�iSCSI Message Types
Called Protocol Data Units (PDUs)
Initiator to Target
Target to Initiator
NOP-out
SCSI Command
NOP-in
SCSI Response
Encapsulates a SCSI CDB
SCSI Task Mgmt Cmd
Login Command
Text Command
Can contain status
SCSI Task Mgmt Rsp
Login Response
Text Response
Including SendTargets
Used in iSCSI Discovery
SCSI data-in
SCSI data-out
Output Data for Writes
Logout Command
Input Data from Reads
Logout Response
Ready to transfer
R2T
Async Event
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
17
�Agenda
Introduction
iSCSI Features
Error Handling, Boot, Discovery
iSCSI usage models
iSCSI Security
Q&A
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
18
�iSCSI Error Handling
ErrorRecoveryLevel = 0
When iSCSI detects errors it will bring down the Session (all
TCP connections within the Session) and restart it
iSCSI will let the SCSI layer retry the operation
ErrorRecoveryLevel = 1
Detected errors (Header or Data) causes PDUs to be
discarded
iSCSI will retransmit discarded commands
iSCSI will retransmit discarded data
ErrorRecoveryLevel = 2
Caused by loss of the TCP/IP connection
Connection & Allegiance reestablishment
Uses ErrorRecoveryLevel 1 to recover lost PDUs
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
19
�Discovery via SendTargets
iSCSI Targets
10.1.40.27:3260
10.1.40.28:3260
iSCSI Targets
10.1.40.27:3260
10.1.40.28:3260
SendTargets
SendTargets
iSCSI Targets
10.1.40.27:3260
10.1.40.28:3260
Set
Discovery
Target
Addrs
SendTargets
iSAN
10.1.40.27:3260
Sessions between
Initators and Targets
10.1.40.28:3260
Set IP Addrs
and
ACLs
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
20
�Discovery via SLP
Get Addr of SLP
DA from DHCP
SLP Directory
Agent (DA)
Multicast to find SLP DA &
Get Addr of Storage Cntrls
Get Addrs of
Storage Cntrls from
SLP DA
via Unicast
DHCP
SA gets DA Addr
from DHCP then
Advertises its
existence to DA
SA Advertises its
existence to DA via
Multicast
Sessions between
Initiators and
Targets
10.1.40.27:3260
Note: Service Agent
(SA) exist within
Target Storage Ctlrs
Set Addr of Storage Cntlrs
+ ACLs, and place Addr of
SLP DA into DHCP
10.1.40.28:3260
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
21
�Discovery via iSNS
Gets location of iSNS from
DHCP & Get Addr of
Storage Cntrls from iSNS
Gets location of iSNS from
DHCP & Get Addr of
Storage Cntrls from iSNS
DHCP
iSNS Server
Str Ctlr gets iSNS
Svr Addr from
DHCP then sends
its profile to iSNS
Str Ctlr gets iSNS
Svr Addr from
DHCP then sends
its profile to iSNS
10.1.40.27:3260
Set Addr of Storage Cntlrs
+ ACLs and place Addr of
iSNS into DHCP
10.1.40.28:3260
Sessions between Initiators and Targets
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
22
�iSCSI Redirection
After attempting to Login at specified location:
The specified Target may signal a redirection
Temporary redirection
Permanent redirection
Redirection used for:
Corrections between Discovery DB updates
Admin or automatic Hardware disablement
for Service
Because of HW problems
For load balancing
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
23
�iSCSI Boot
Static configuration information for Boot
Admin sets authorized iSCSI Target Node Name and iSCSI Address,
Optional LUN
Default LUN is 0
Dynamic configuration via use of DHCP, SLP, iSNS
DHCP can be used by Host to get an IP address
DHCP can hold the iSCSI Boot Service Option (Admin Set)
May contain all that is needed to reach the Boot device
May only contain iSCSI Target Node Name, then use SLP/iSNS to resolve
to iSCSI address
SLP, or iSNS can also be used to find the Boot location
The Boot load process
The Admin. or DHCP, SLP or iSNS can enable the access
BootP/PXE is also possible as part of a SW two phase process
HW HBA can act as a normal SCSI HBA for system BIOS use
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
24
�Agenda
Introduction
iSCSI Features
Boot, Discovery, Error Handling
iSCSI usage models
IP Security
Q&A
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
25
�Now lets look at the various environments
where iSCSI is appropriate
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
26
�Combining of FC and iSCSI
iSCSI Tape
Library 2
FC-iSCSI Router
registers FC devices
WWN and iSCSI Name
alias. Both iSCSI and
iSNS
FC identities are
Server
stored in the iSNS
server
iSCSI
Initiator 2
Management
Platforms
can view and manage
both iSCSI and
FC devices by
interacting with iSNS
server
Management
Platform
iSCSI Tape
Library 1 iSCSI
Initiator 1
IP Network
FC-iSCSI
Gateway
FC JBOD: WWN=X,
FC Fabric
iSCSI Name = a bc
FC Server: WWN=Y,
FC JBOD:
FC
Server:
WWN = X
iSCSI Name = x yz
WWN = Y
FC-iSCSI
Gateway
FC Fabric
FC JBOD:
WWN = X
FC Server:
WWN = Z
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
Other FC fabrics
can be joined over
common IP
network.
Other gateways
can discover open
mapping by
querying iSNS
27
�Small Office Interconnect
Ethernet
Switch
Print
Server
NAS
Office
Server
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
iSCSI
28
�IP Storage Combo -- NAS & iSCSI
Ethernet
Switch
Print
Server
NAS
iSCSI
Office
Server
Dual Dialect
Block and File I/O
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
29
�Midrange Environment
Desktops and Laptops
Servers
HBA
iSCSI
& TOE
Dhip
HBA
Ethernet Switch
HBA
iSCSI
& TOE
Dhip
HBA
HBA
Cat.5 Ethernet Cables
iSCSI
& TOE
Dhip
iSCSI
& TOE
Chip
iSCSI
& TOE
Dhip
Ethernet Switch
iSCSI
iSCSI
iSCSI
NAS
iSCSI
iSCSI to FC
Bridge
HBA
iSCSI
& TOE
Dhip
iSCSI
& TOE
Dhip
iSCSI
& TOE
Chip
FC
Dual Dialect
iSCSI
FC Disk Storage
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
30
�High-End Environment
Departmental
Systems
Satellite Location
Satellite Location
Departmental
Systems
Main Campus
Departmental
Systems
CentralSystems
Departmental
Systems
"At-Distance" Backup Center
Satellite Location
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
Satellite Location
31
�Campus Network
Departmental
Servers
Desktops and Laptops
Departmental
Servers
Desktops and Laptops
HBA
iSCSI
& TOE
Dhip
HBA
iSCSI
& TOE
Dhip
HBA
iSCSI
& TOE
Dhip
iSCSI
& TOE
Dhip
HBA
iSCSI
& TOE
Dhip
HBA
iSCSI
& TOE
Dhip
iSCSI
Storage
HBA
iSCSI
Storage
Ethernet Links
Central Server Systems
FC
SAN
Integrated
Monitoring
and
management
iSCSI to/from
FC Routing
Switch
Campus
Systems
iSCSI
Links
iSCSI
& TOE
Dhip
iSCSI
& TOE
Dhip
Disk and Tape Storage Controllers
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
32
�Satellite and Central System/Storage
Local
iSCSI
Storage
Satellite Locations
FireWall
& Switch
VPN
FireWall
VPN
FireWall
Satellite
Servers
Central Server Systems
Ethernet Switch
Ethernet Switch
Ethernet
to FC
Router
FC
SAN
Local iSCSI
Storage
Disk and Tape Storage Controllers
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
33
�At-Distance
Central Server Systems
FC to IP
over
Ethernet
Router
CP
IP/iF
C
F
I &
iSCS
FC
SAN
FireWall
Disk and Tape Storage Controllers
AN
IP W
IP
et P
n
C
r
he /iF
Et CIP
F
Central Server Systems
FireWall
Enet to FC
Switch Router
HBA
iSCSI
& TOE
Dhip
iSCSI Tape
"At-Distance" Backup Center
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
34
�Web Server Installation
Internet Links
Ethernet Links
NAS iSCSI
HBA
HBA
iSCSI
& TOE
C hip
Ethernet
Switch
iSCSI
SAN
W eb Server Systems
iSC SI
& TOE
Chip
Dual
Dialect
iSCSI
&
TOE
Chip
FC
SAN
iSCSI
& TOE
Chip
iSCSI to/from
FC Routing
Switches
iSCSI
iSCSI SATA
Disk and Tape FC Storage Controllers
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
35
�Peaceful Co-existence
iSAN & NAS
Note: File Area Network (FAN)
utilizes IP Networks and NAS
protocols
NAS iSCSI-Gateway
Supports both iSCSI and NAS
(a Dual Dialect combination)
iSCSI RAID Ctlrs
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
36
�Agenda
Introduction
iSCSI Features
Boot, Discovery, Error Handling
iSCSI usage models
iSCSI Security
Q&A
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
37
�Security Properties
Connection Authentication: Who are you? Prove it!
Mutual Authentication: Initiator to Target AND vice-versa
Packet Integrity: Has this data been tampered with?
Cryptographic Packet by Packet authentication & integrity check,
not just checksum or CRC
Anti-Replay to prevent regeneration attack
Privacy: Encryption of the Data
Authorization: What are you allowed to do?
iSCSI: Who can connect to which Target
LUN masking & mapping handled by SCSI, not iSCSI
iSCSI Security Features: Must be implemented but are
Optional to use
Subject to negotiation
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
38
�iSCSI Security Considerations
Connection Authentication is iSCSI way to
determine trustworthiness via
CHAP -- Challenge Handshake Authentication Protocol with strong
secrets is required
Cant use passwords
Stronger than basic CHAP when specification is followed
SRP -- Secure Remote Password
Kerberos -- A Third Party Authentication protocol
SPKM-1,SPKM-2 -- Simple Public Key Mechanism
Connection Security may be used with or without
IPsecs Packet Security:
Packet Authentication
Origin assurance
Anti-Reply protection
Privacy
Encryption
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
39
�Conclusions
�iSCSI is the Network Storage Alternative
The performance on 1Gb Ethernet networks is
Good Enough for many applications
Host systems can use the cost effective software
iSCSI Initiators
Host system can use the low overhead of HW
iSCSI HBA for Initiators
With link aggregation and Ethernet networks
moving to 10Gb, most storage networking needs
can be handled by iSCSI
iSCSI is not just a Low-End protocol but will also
apply to the High End environments.
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
41
�iSCSI References
Both Books
Published by Addison-Wesley
Available in Book Stores
and Amazon.com
Volume purchases available
The detail specification can be found at
http://www.ietf.org/rfc/rfc3720.txt?number=3720
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
42
�Q&A / Feedback
Please send any questions or comments on this
presentation to SNIA: tracknetworking@snia.org
Many thanks to the following Group and
individuals
for their contributions to this tutorial.
SNIA Education Committee
Members of the SNIA IP Storage Forum
David Black
David Dale
John Hufferd
Peter Hunt
Howard Goldstein
Gary Orenstein
Ahmad Zamer
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
43
�Appendix
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
44
�CHAP Authentication Protocol
Based on shared secret, random challenge
Uses a secure (one-way) hash, usually MD5
One-way hash: Computationally infeasible to invert
Secret
Challenge
Secret
Hash
Hash
Response
=?
Host
Storage
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
Can be
outsourced to
RADIUS server
45
�iSCSI with IPsec
Initiator Opens
Socket connection to
Target
IKE (Internet Key Exchange) is performed to
authenticate & obtain encryption key for IPSec
Pre-shared Key (or Certificate)
Create encryption key
Target Port is
engaged
Message
Message is sent on
Open Socket
Create encryption key
t
pro
c
e
IPs
/
CP
T
ed
ect
n
ctio
e
n
on
IP c
Message
Message is delivered to Target's Listening Port
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
46
�NAS v. iSCSI
(on the Storage Controller)
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
47
�Spreading v. Centralizing the File
System Overhead
Block I/O (including iSCSI) spread the File
System overhead across all the Clients
Block I/O (including iSCSI) Storage
Controllers just store the I/O blocks
where the Client File System requests
(perhaps with Virtualizing LUN Mapping)
NAS Clients move the File System
overhead to the NAS server
NAS Servers centralizes the File
System functions (and overhead) for
all its clients into the NAS Server
Plus the NAS Server still must map
the resultant Blocks onto the Storage
(perhaps with Virtualizing LUN
Mapping)
The non TCP/IP Server side overhead can be 12- 16 times higher in
NAS Servers than Block I/O (iSCSI) Storage Controllers
Therefore use NAS for File Sharing and iSCSI for other IP Storage Requirements
IP Storage Protocols: iSCSI
2008 Storage Networking Industry Association. All Rights Reserved.
48
