standard666abcd.com

EFFICIENTASYMMETRICSECUREISCSIBYMURTHYS.
ANDUKURIAthesissubmittedtotheGraduatefacultyoftheUniversityofColoradoatColoradoSpringsinpartialfulfillmentoftherequirementsforthedegreeofMasterofScienceDepartmentofComputerScience2006CopyrightbyMurthyS.
Andukuri2006AllRightsReservedThisthesisfortheMasterofScienceinComputerSciencedegreebyMurthyS.
AndukurihasbeenapprovedfortheDepartmentofComputerSciencebyC.
Edwardchow,ChairMarijkeAugusteijnJugalKalitaDateMurthy,AndukuriS.
(M.
S.
,ComputerScience)EfficientAsymmetricSecureiSCSIThesisdirectedby:ProfessorC.
EdwardChowiSCSIisanapplicationlevelprotocolthatenablesstorageofdataonadiskattachedtoanetworkedremotehost.
IPsec,whenusedinconjunctionwithiSCSI,securesthisdatawhileintransit.
IPsecprovidessecuritybyencryptingthedataatthesenderanddecryptingatthereceiver.
Thismeansthatthedataisexposedandvulnerableatthereceiver.
Therearecurrentlytwochoicestosecurethedataatrestontheremotedisk-bothinvolvingtheuseofthirdpartyencryptionsoftwaretoeither(1)re-encryptthedataattheremoteendor,(2)Encryptthedatabeforetransmittingtotheremoteend.
Thesecondoption,whilebetterthanthefirst,stillrequiresadditionalencryptionsoftwareontheremotesite,impactsonoverallperformance,andintroducesadditionalsecurityrisk.
ThecurrentthesisproposesanewasymmetricIPsecschemetoenhancethesecurityofdataattheremoteend,whilesimultaneouslyavoidingthecostofadditionalofsoftwareandimprovingtheoverallperformance.
TheideaistoapplyIPsecencryption/decryptioninasegmentedmannerontheiSCSItraffic,suchthattheuserdataremainsencryptedafterleavingthesender,andisdecryptedonlywhenitisretrievedbythesender.
AdualkeycryptographicschemeisproposedwheretheprivatekeyisusedtoencrypttheiSCSIpayloadatthesenderandtraditionalIPsecismodifiedtoencrypt/decryptonlyontheTCP/iSCSIheaders.
AdevelopmenttestbedwasbuiltusingUser-Mode-Linuxvirtualmachinesfordeveloping/debuggingtheasymmetricIPsecsoftwareandrunningasthesenderandreceivertoverifythefunctionalityandsecurityfeaturesoftheproposeddesign.
AbenchmarktestbedwasbuiltwithtworealPCswheretheasymmetricIPsecmodulescanbedynamicallyloaded.
TheperformanceresultsshowthattheexistingimplementationoftheproposedasymmetricIPsecschemereducestheIPsecprocessingtimebyabout25%.
AcknowledgementsIwouldliketoexpressmysincereappreciationtoDr.
EdwardChowforhispatienceduringtheunusuallylongtimeItooktocomeupwiththeideaforthisthesis,andtoimplementtheschemeasdescribedinthethesis.
CONTENTSChapter1.
Introduction11.
1Motivationforenhancingremotestoragesecurity12IPsec92.
1TheSADandSPDdatabases102.
2HowtheSADandSPDareusedforoutboundtraffic112.
3HowtheSADandSPDareusedforinboundtraffic122.
4IPsecdeploymentoptions132.
4.
1BasicoptionsofIPsecdeployment132.
4.
1.
1IPsecAHintransportmode142.
4.
1.
2IPsecESPintransportmode152.
4.
1.
3IPsecAHintunnelmode162.
4.
1.
4IPSecESPintunnelmode182.
5IPsecImplementations192.
6IPsecoperationmodes192.
6.
1'Daemon'modeofIPsecoperation192.
6.
2ManualmodeofIPsecoperation19Chapter3213SCSIbasedStorageOptions213.
1SCSIbasedInternetstoragearchitectures233.
1.
1FCIP:FiberchanneloverIP233.
1.
2iFCP243.
1.
3iSCSI243.
1.
4ISCSICommandprogressionbetweenInitiatorandtarget263.
1.
4.
1iSCSIProtocollayers273.
1.
5Motivationfortheproject323.
1.
6StagesiniSCSIinitiator-targetinteractions333.
1.
6.
1Naming/Addressing333.
1.
6.
1.
1FormatsofiSCSIname333.
1.
6.
2Sessionestablishmentandmanagement343.
1.
7PhasesofiSCSIsessionofinterestinthecurrentthesis363.
1.
8FullFeaturePhase373.
2iSCSI'Write's383.
3iSCSI'Read's393.
4OtherPDUexchangerelevanttothethesis404Detailsoftheproposedenhancement414.
1WhentheinitiatorissendingiSCSIdatetothetarget414.
2WhentheinitiatoristryingtoreadtheiSCSIdatafromthetarget414.
3ThenativeIPsecoperationoniSCSI424.
4Howthenative-IPsecissuesaremanagedintheimplementation444.
4.
1IdentifyiSCSIdata.
444.
4.
2Encrypttheheadersseparately444.
4.
2.
1iSCSIpacketswhichdonotcarryanyuserdata.
454.
4.
2.
2iSCSIpacketscarryinguserdata.
454.
4.
3UpdatingTCPchecksums:474.
4.
3.
1Thesendingsideintheinitiator:474.
4.
3.
2Thereceivingsideoftheinitiator484.
4.
3.
3Scopeoftheimplementedsolution494.
4.
3.
4EtherealPacketpatternforwritetotarget514.
4.
3.
5EtherealPacketpatternforreadfromtarget525Performancedataandanalysis535.
1RoleofUserModeLinux535.
2PerformanceAnalysis555.
2.
1Computationaldetailsoftheavailablescheme565.
3PerformancedataoftheproposedschemeonaUMLtestbed585.
4AnalysisofresultsfromUMLtestbed645.
5Performancedataoftheproposedschemeonthelabtestbed645.
6Analysisofresultsfromthelabtestbed746LessonsLearnt767FutureDirections798Conclusions828.
1Advantagesofthecurrentapproach828.
2Limitationsofthecurrentapproach829Bibliography8410APPENDIXA:UserGuideofAIPsec8610.
1SettingupIPsec8610.
1.
1Buildthesetkeyutility8610.
1.
2Packagedependenciesforsetkey8610.
1.
3Commandstobuildsetkey8610.
1.
4Generatingakey8710.
1.
5GeneratingSADandSPDentriesusingthesetkeyutilityontarget8710.
1.
6DisplayingSADentriesonthetarget8810.
1.
7DisplayingSPDentriesonthetarget8910.
1.
8GeneratingSADandSPDentriesusingthesetkeyutilityoninitiator9010.
1.
9DisplayingtheSADentriesontheinitiator9010.
1.
9.
1DisplayingSPDentriesontheinitiator9110.
2AppendixB:RunningtheiSCSItargetprogram9310.
2.
1Installingtargetonahostmachine9310.
2.
2InstallingtargetonaUML9310.
2.
3Runningthetarget9410.
3AppendixC:RunningiSCSIInitiatorprogram9610.
3.
1Installingtheinitiatorinthehostmachine9610.
3.
2Installingtheinitiatorinavirtualmachine9610.
3.
3Runningtheiscsiinitiator9710.
3.
3.
1SampleiSCSIInitiatorConfigfile9810.
3.
3.
2SequenceofcommandstoruniSCSIInitiator9910.
4AppendixD:CompilingUMLs,settingupbridgeanddebuggingkernelmoduleswithUML10010.
4.
1Buildingandinstallingumlmodules10010.
4.
2Debuggingumlmodules10010.
4.
2.
1Perlscripttosetupgroundfordebuggingmodulesingdb10010.
4.
2.
2UsingGDBtodebugmodules10210.
5AppendixE:Compilingsg_ddandsettingitup10411AppendixF:Atypicalrunthroughthetestbed10511.
1Step1:Createthe'disk'onthetarget10511.
2Step2:StarttheiSCSItargetsoftware10511.
3Step3:StarttheiSCSIInitiatordaemon10511.
4Step4:Logintothetarget10611.
5Step5:Verifyingthatdataisscrambledonthetarget10711.
6Step6:ReaddatafromtheInitiator10711.
7Step7:Verifyingthecorrectnessofthedata108TABLESTable1.
ASampleSAD112.
ASampleSPD113.
BasicHeaderSegment(BHS)ofaniSCSIPDUHeader354.
InitiatorPDUs355.
TargetPDUs366.
KeywordsinvariousPDUs367.
PhasesinaniSCSIconnection378.
PDUexchangeduringaninitiator'write'399.
PDUexchangeduringaaninitiator'read'4010.
Numberof16-byteblocksencryptedduringround-tripof1TCPsegment5811.
PerformanceoftheUMLtestbedwhentransferringa1Kfile5812.
PerformanceoftheUMLtestbedwhentransferringa10Kfile5913.
PerformanceoftheUMLtestbedwhentransferringa100Kfile5914.
PerformanceoftheUMLtestbedwhentransferringa1Mfile6015.
PerformanceoftheUMLtestbedwhentransferringa10Mfile6016.
PerformanceoftheUMLtestbedwhentransferringa100Mfile6117.
Performanceofthelabtestbedwhentransferringa1Kfile6518.
Performanceofthelabtestbedwhentransferringa10Kfile66619.
Performanceofthelabtestbedwhentransferringa100Kfile6620.
PerformanceoftheLabtestbedwhentransferringa1Mfile6721.
PerformanceoftheLabtestbedwhentransferringa10Mfile6722.
PerformanceoftheLabtestbedwhentransferringa100Mfile68FIGURESFigure1.
Option1:IPsecintransit.
Nosecurityfordataatrest22.
Option2:Re-encryption/decryptionattargetsite33.
Option3:Encryptdataatclientsite.
NoIPsec54.
Option4:Encryptatclientsite.
TransmitusingIPsec65.
Option5:Theproposedscheme86.
IPsecAHHeader127.
IPsecESPheaderandtrailer(withoutauthentication)128.
IPsecAHtransportmode149.
IPsecESPinTransportmode1510.
IPsecinAHTunnelmode1711.
IPsecESPinTunnelmode1812.
BasicSCSIarchitecture2213.
CommandflowinaniSCSIsetup2614.
DetailsoftheiSCSIlayeredmodel2715.
Structureofa10-byteCDB2916.
Contentsofa10-byteCDBwhenwritingof1Ktotarget3017.
Contentsofa10-byteCDBwhenreading1Kfromtarget3118.
PDUexchangeduringaniSCSIlogin3719.
Packetmodificationunderproposedscheme4620.
Packetsequencebetweeninitiatorandtargetduringa'write'5121.
Packetsequencebetweeninitiatorandtargetduringa'read'5222.
AschematicoftheUMLtestbedusedinthecurrentthesis5523.
PerformanceonUMLtestbedundercurrentlyavailablealternative6224.
PerformanceonUMLtestbedundertheproposedscheme6325.
PerformanceofthedifferentschemesofiSCSIcommunication(onUMLtestbed)6426.
PerformanceonthelabtestbedwithoutIPSec6927.
Performanceonthelabtestbedundercurrentlyavailablealternative7028.
Performanceonthelabtestbedundertheproposedscheme7129.
Performancegainunderproposedschemeforfilessizes1K-100K7230.
Performancegainunderproposedschemeforfilesizes1M-100M7331.
PerformanceofthedifferentschemesofiSCSIcommunication(onLabtestbed)74Chapter1IntroductionThegoalsofthecurrentthesisareasfollows.
Toproposeadual-keyasymmetriccryptographicenhancementofIPsecthatreducesIPsecprocessingtimeandenhancesdatasecurityduringremotestorageusingiSCSI.
TodemonstratehowvirtualmachinesrunningUMLcanbeusedtodevelop/modify/runkernelandnetworkingsoftwareonvirtualtestbedsfornetworkingprojects.
MotivationforenhancingremotestoragesecurityRemotebackupofdataforsecurityhasbecomeasubjectofrapidlygrowinginterestintherecenttimes[1][2].
Theimportanceofbackups,andremotestorageforsecurityintoday'snetworkedworldcanhardlybeoverstated.
Ofthevariousoptionsavailable,iSCSIseemedthemostworthyofstudybecauseitsdesignsmartlymakesfulluseoftheuniversallyprovenstrengthsofexistingprotocolslikeTCP,IPandIPsec,therebyreducingthecost,effortandtimeoflearning,setupanddeployment.
ThevariousmechanismsthatcanbeusedareFCIP,iFCP,iSCSI[3][4].
Amongthese,iSCSIhasbeengettingalotofattentionoflatebecauseitcanberunoncommonlyavailable,relativelyinexpensiveIPnetworkinginfrastructurealreadyinplace.
iSCSIisanapplicationlayerprotocolthatusestheavailableIPnetworktomakearemotestoragediskaccessibleasasimulatedlocalSCSIdisk.
Thislocallyaccessibleremotediskcanbewrittento,orreadfrom,likeanylocaldisk.
AniSCSIsetuphastwoparts-TheiSCSIinitiatoristhe'client'programlocatedonthesourcemachineandwritesto/readfromtheremotemachine.
TheiSCSItargetisthesoftwareonthedestinationmachinethathelpsstorethedataandreturnitondemand.
iSCSIrestrictsitselftohandlingtheuser-leveldataandleavestheactualdetailsoftransmissiontotheTCPandIPlayers.
Bydefault,thedataistransmittedinplaintextbetweentheinitiatorandthetarget.
ThisvulnerabilitycanberemediedbyusingIPsectosecurethedataintransit.
Figure1showssuchascenario.
Figure1.
Option1:IPsecintransit.
NosecurityfordataatrestIPsecisdesignedtoprovideinteroperable,highquality,cryptographically-basedsecurityforIPv4andIPv6.
Thesetofsecurityservicesofferedincludesaccesscontrol,connectionlessintegrity,dataoriginauthentication,protectionagainstreplays(aformofpartialsequenceintegrity),confidentiality(encryption),andlimitedtrafficflowconfidentiality.
TheseservicesareprovidedattheIPlayer,offeringprotectionforIPand/orupperlayerprotocols[5].
IPsecencryptsthedataleavingthenetworklayeronthesenderand,atthereceivingend,decryptsthedatabeforeitleavesthenetworklayer.
ThissecuresthedataintransitbutdoesnothelpsecurethedataAFTERithasreacheditsdestination.
Thismakesdataveryvulnerabletotheftwhenthetargetsitegetsbreak-in[6].
Thisvulnerabilitycanbealleviatedbyreencryptingthereceiveddatausingathirdpartysoftware–andredecrypt,sothattheIPseclayercanencryptitinpreparationfortransmissionbacktothesender.
Figure2showssuchascenario.
Figure2.
Option2:Re-encryption/decryptionattargetsiteThissituationpresentsthefollowingissues:Thedataisinanun-securedformonaremotediskjustafterbeingreceived,andjustbeforebeingtransmitted.
Thisschemeinvolvesthreeencryptionsandthreedecryptionsthatincreasethecomputationalandoperationalcosts.
ThethirdpartysoftwareinvolvesextracostAnothersolution[4]istouseapplicationlayersoftwaretoencryptthedataonthesender,storeitintheencryptedstateonthereceiveranddecryptitonlyonretrieval.
Thisschemealsoinvolvesthreeencryptionsandthreedecryptions.
However,thisisbetterthanOption2describedabove,becausethedataisneverinanun-encryptedstateoutsideoftheInitiator.
Thispresentstwochoices,bothofwhichhaveissuesoftheirown.
Scenario1:Useanapplicationlayersoftwaretoencryptuserdata,andtransmititwithoutIPsec.
Figure3showsthisscenario.
Figure3.
Option3:Encryptdataatclientsite.
NoIPsecThisleavestheiSCSI,TCPandIPheadersexposedduringtransit.
Whilethedataisencrypted,theheadersremainvulnerable.
Scenario2:Useanapplicationlayersoftwaretoencryptuserdataanddecryptitafterretrieval.
TransmitusingIPsec.
Figure4showssuchascenario.
Figure4.
Option4:Encryptatclientsite.
TransmitusingIPsecThissecurestheTCPandiSCSIheaders(andoptionallytheIPheaderaswell).
However,thisalsoinvolvesRE-encryptionoftheencryptedpayloadonthesendingside,DecryptionofthesameonthereceivingsidetoundotheaboveencryptionsRE-encryptionoftheencryptedpayloadonthereceivingsideforretrievalbysenderDecryptionofthesameonthesender(afterretrieval)toundotheabove,secondencryption.
Assuch,itisobviousthatthisschemeonlypartiallyaddressestheshortcomingsofthepreviousapproach.
TheproposedefficientasymmetricIPsecschemehopestoaddresstheaboveconcernsasfollows.
Itisproposedthattheprocessofencrypting/decryptingthetransmitteddatabedividedintotwoparts–TheencryptionoftheTCPandiSCSIheadersisperformedperthenormalIPsecprocedures–usingthekeysgeneratedandmanagedbyInternetKeyexchange(IKE)betweenthesourceanddestination.
ThecoreIPsecencryptionfunctionality,i.
e.
,thealgorithmimplementationexcludingtheIKE,isstillusedtoencrypttheuserdata.
However,thekeyfortheencryptionisgeneratedonthesourcemachineindependentoftheIKEmechanism.
ThiskeywillNOTbesharedwiththedestination.
AtthedestinationonlytheTCP,iSCSIheaderaredecryptedpernormalIPsecprocesstoextracttheiSCSIdetailsandtowritetheuserdata,whichcontinuestobeinencryptedform,totheremotedisk.
Duringretrievalbythesender,theuserdataisreturnedinthesameencryptedformandaccompaniedbyheadersthatarenowappropriatelyencryptedbyIPseconthetarget.
Uponarrival,theheadersaredecryptedperthenormalIPsecscheme,i.
e.
usingthekeysmutuallyagreeduponthroughtheIKEmechanism.
TheuserdataisnowdecryptedusingthecoreIPSecdecryptionfunctionalitybutwiththecustomized,locallygeneratedkeythatwasusedoriginallytoencryptthedata.
Figure5showstheproposedscheme.
Figure5.
Option5:TheproposedschemeChapter2IPsecIPsec[5][6]isthenamegiventoacollectionofprotocolsthattogetherformthemandatorysecuritycomponentofthenextgenerationIPV6protocol.
ThisisanoptionalpartofIPV4.
IPSecoffersprotectiontothedatabyencryptingand/orauthenticatingitatthesenderbeforetransmitting.
TherearethreeprotocolsinIPsec.
InternetKeyExchange(IKE)guideshowahandshakeisestablishedbetweenthesenderandreceiver,howkeysareexchangedandrenewed.
IthasanIANA(InternetAssignedNumbersauthority)portnumberof500.
ESP(EncapsulationSecurityPayload)guideshowdatacanbeencryptedatthesenderanddecryptedatthereceiver.
ThishasanIANAprotocolnumberof50.
AH(AuthenticationHeader)guideshowthedatacanbeauthenticatedatthesenderandverifiedatthereceiver.
TheIANAprotocolnumberforthisprotocolis51.
Thereisavastamountofliteratureavailable–explaining,analyzingandevaluatingIPsecprotocolsandimplementation.
AsummaryisgivenbelowtohelpunderstandtheroleandrelevanceofIPsecinthecurrentthesis.
Thefiguresarereproducedfrom[7]becausetheydoanexcellentjobofillustratingtheconcepts.
IPsecsecuresdatatrafficbetweentwohostsbyencryptingand/orauthenticatingthedata.
Ineithercase,thetwohostsagreeondetailslikethecryptoalgorithms,thekeys,thelifetimesofthekeysetcduringanIKEphasethattakesplacebeforetheactualencryption/authentication.
Thetwohostsinquestioncanbeeithergatewaysbehindeachofwhichthereareotherhostsasinanysubnet,ortheactualpointsofterminationforthetraffic.
Intheformercase,whenhostsinonesubnettrytocommunicatewithhostsintheother,thetrafficcanbeprotectedbyencrypting/authenticatingonlyinthespanofthenetworkbetweenthegateways(notend-to-end).
Inthiscase,theentirepacketisembeddedinnewIPheaders,therebycreatinganIPtunnel.
Inthelattercase,IPsecissaidtooperateinthe'transport'mode.
Ineithercase,duringtheactualdatatransfer,encryptionandauthenticationheadersand/ortrailersareinsertedintothedatapackets.
Theplacementoftheheaders/trailersdependsontheactualmodeofIPsecprotection.
TheseheaderscarryinformationthathelpsthereceiverlookintoitsownIPsec-relateddatabases(tobediscussedbelow)foridentifyingtheinformationtodecrypt/re-authenticatethedata.
TheSADandSPDdatabasesImaginedatacommunicationbetweenhosts'A'and''B'usingIPsec.
Thesetofallparametersliketheprotocoltouse(AHorESP),keys,cryptoalgorithms,lifetimekeys,etc.
,thateitherofthehostsneedstoprocessthepayload.
iscalleda'SecurityAssociation'(SA).
Thisisunidirectionalthereforeeachhosthasanout-boundSAandin-boundSA.
AnOutboundSAonhostAappropriatelymirrorsthecorrespondingin-boundSAonhostBandviceversa.
ThesetofallsecurityassociationsiscalledaSecurityAssociationDatabase(SAD).
AtypicalSADlookslikeinTable1[8].
SPISrcIPDestIPSrcPortDestPortParameterslikeAH/ESP,Mode,SA,lifetime,keysetcTypePointertoSPDEntry580192.
168.
2.
1192.
168.
1.
1AnyAny.
.
.
Inbound4974192.
168.
1.
1192.
168.
2.
1Any80.
.
.
Outbound7Table1:ASampleSADThedecisiontoselectaparticularSAisbasedontheentryinanotherdatabasecalledtheSecurityPolicyDatabase(SPD).
ThislookssimilartotheSADbutrestrictsitselftohigher-level'policy',inthatithelpsdecidewhattodowithdatathatisleavingahostorcomingin,e.
g.
,Discard,pass-on,orapplyIPsec.
Thatis,SPDenforcestheprotectionpolicy,whereasSADsuppliesthenecessaryparameterstomakeitpossible.
AtypicalSPDlooksasinTable2l[8]Rule#SrcIPDestIPSrcPortDestPortActionIPSecProtocolModeOutboundSAIndex1192.
168.
1.
1192.
168.
2.
1Any23IPSecESPTunnel4002192.
168.
1.
23192.
168.
2.
5Any443IPSecAHTunnel1Table2:ASampleSPDHowtheSADandSPDareusedforoutboundtrafficForoutboundtraffic,theSPDisusedfirsttodecidewhattodowithapacket,TheinformationcontainedintheIPandTCP/UDPheaders,correspondingtothecolumnsintheSPD,isusedtoidentifytheoutboundSAindex.
ThedetailscontainedintheSADentry,identifiedbytheaboveinferredSAindex,areusedtoprocessthedataappropriately.
TheSPIfromtheSAD,alongwithotherappropriatemetadataappropriatefortheheader,ispopulatedwithintheout-goingESP/AHheadertoprovidethereceiverinformationneededtotaketheappropriateaction,e.
g.
,Decryption,Re-authentication.
HowtheSADandSPDareusedforinboundtrafficTheprocessingonthein-boundsideistheconverseoftheaboveout-boundcase.
TheSPI,thedestinationIP,andthesecurityprotocolinformationcontainedintheincomingpacketheader(AHorESP)areusedtoidentifytheentryintheSAD.
OnlyafteranSAisfoundandtheidentityofthesenderestablished,doesIPsecproceedtoSPDtodecidewhattodowiththepacket.
Figure6showsthecontentsofanauthenticationheader.
Figure7showsthecontentsofanESPheader/trailer.
Therelativeplacementoftheseheaders/trailersdependsontheactualconfiguration(modeandIPsecalgorithm).
Figure6.
IPsecAHHeaderFigure7.
IPsecESPheaderandtrailer(withoutauthentication)IPsecdeploymentoptionsFigures8-11showthefourconfigurationstodeployIPsecbetweenasenderandreceiver.
'AH'astheonlyformofprotectionisnot-effectivebecausethedataisinplaintext.
ESPoffersencryptionofdataandhenceoffersmoresecurity.
WhatmakesESPevenmoreattractiveisthatESPcomeswithitsownESP-authentication.
TheauthenticationprovidedbyESP-authenticationisonlyslightlylesseffectivethantheauthenticationprovidedbytheAHmode.
TheprotectionoftheESP-authenticationencompassestheESPheader,TCPheader,payloadandtheESPtrailer.
AHcoverageincludestheIPheaderaswell.
ThesamealgorithmsareusedforauthenticationinbothESP-authenticationandAH.
Giventhisscenario,thereisadebateinthesecuritycommunityifAHneedstobeofferedasanoptionatall[9].
AHmaybedeprecatedinthefuture.
BasicoptionsofIPsecdeploymentInthefollowingsections,thecasesofAHintransportandtunnelmodeareincludedforillustrationandcompleteness.
Thecurrentthesisisallaboutmakinguser-datamostsecurebykeepingitinanencryptedstateasmuchaspossible.
Assuch,theAHmodeisnotdirectlyrelevanttothisthesis.
IPsecAHintransportmodeFigure8.
IPsecAHtransportmodeNotethatAHdoesnotcoverthefieldsoftheIPheaderthataremutableduringtransit.
Ofspecificinterestintheabovefigure,arethefields'proto'and'next',(bothhighlightedbycircling).
The'proto=AH'intheIPheaderindicatesthatanAHheaderfollows.
'next=TCP'intheAHheaderindicatesthattheTCPheaderfollows.
IPsecESPintransportmodeOfspecificinterestinFigure9isthefactthatthe'next'fieldisapartoftheESPtrailer,andnottheESPheader.
Thisismeanttoprovideextrasecuritybecause;theESPtrailerisalsoencrypted.
Also,ofinterestisthepartofthepacketmarkedas'AuthenticatedData'.
ThisshowsthepartcoveredbyESPauthentication.
Figure9.
IPsecESPinTransportmodeThetransportmodeismeantforprovidinghost-to-hostsecuritytothedata.
iSCSI'sinitiator-targetsetuprequireshost-to-hostsecurityandhenceESPwithauthenticationintransportmodewaschosenforthecurrentthesis.
IPsecAHintunnelmodeFigure10showsapacketprotectedbyAHintunnelmode.
Notethatthe'next'fieldintheAHheaderindicatesthattheheaderfollowingisanIPheader.
ThisreferstotheoriginalIPheader.
Figure10.
IPsecinAHTunnelmodeIPSecESPintunnelmodeFigure11showsapacketprotectedbyESPintunnelmode.
Theportionhighlightedas'EncryptedData'demonstratesthattheoriginalpacketisencryptedinitsentirety.
Figure11.
IPsecESPinTunnelmodeIPsecImplementationsThereareseveralimplementationsofIPseconmajoroperatingsystems.
NotableamongthemistheKAMEproject[10]thatisthesourceoftheIPsecimplementationonNetBSDandFreeBSD.
KAMEalsohadanimplementationforLinuxeventhoughitdidnotmakeitintothe2.
6stack.
Linuxhasthreemajorimplementations–animplementationthatisnativetothelinux2.
6stack,andtwoothers–'Openswan'[11]and'StrongSwan'[12]thatarederivedfrom'FreeSwan'[13]thathasbeenstoppedin2004.
'StrongSwan'and'OpenSwan'arenotapartofthenativeIPsecstack.
ThecurrentprojectusesthenativeIPsecstackforthefollowingreasonsNativestack,bydefinition,isavailableeverywhere.
Theveryideaofthisprojectistominimizetheneedforthird-partysoftware.
IPsecoperationmodes'Daemon'modeofIPsecoperationThe'raccoon'utilityprovidedbyIPsec-tools[14]canbeusedtodynamicallyprocesskeyexchangeandenforcelifetimerestrictions.
TheIPsec-toolspackageisaportofKAME'sIPsectoolsforLinux2.
6.
ItsupportsNetBSD,FreeBSDaswell.
ManualmodeofIPsecoperationThepackageIPsec-toolsprovidesthe'setkey'utilitytomanuallysetupsecurityassociations.
WhenIPsecissetupinmanualmodebetweenthesenderandreceiver,thereisnoautomaticregenerationofkeys.
Sincethefocusofthecurrentthesisisaproof-of-concept,itwasfeltthatthemanualmodeshouldsuffice.
Thecurrentprojectusesthesetkeyutility.
Theinstructionstobuildtheutility,thedetailsoftheSADandSPD,theconfigurationfilesusedareallavailableinAppendixB.
Chapter3SCSIbasedStorageOptionsSCSI(SmallComputerSerialInterface)isadeviceindependentI/Osub-systeminterfacethatbegantobedevelopedduringtheearly1980s.
Thedrivingforcebehinditsdevelopmentwastheneedtoeliminatephysicaladdressingofdatablocksintermsofcylinder,head,sector(CHS),anddevelopawayoflogicaladdressingoftheblocks.
Thisfreesthehostfromhavingtoknowtheexactphysicalorganizationofadrive[15].
AbriefsummaryoftheSCSIarchitectureisgivenbelowtohighlightattributesthatarerelevanttounderstandtheoverallpictureofthecurrentproject.
Initssimplestform,theSCSIconfigurationcanbeshownasinFigure12[15].
Figure12.
BasicSCSIarchitectureTheperipheraldeviceisconnectedtothecomputerthroughthedevicecontroller,theSCSIbusandHostBusAdapter(HBA).
Thedevicecontrollerisusuallyintegratedintotheperipheraldevice.
TheHBAiseitheraseparateplug-inboardorintegratedintothemotherboard.
AcomputercanhavemorethanoneHBA,eachwithoneormoreBuses.
EachBuscanbeconnectedtooneormoredevices.
Eachdevicehasatleastone'LogicalUnit'or'LUN'.
ALUNisalogicalconstructthatincludesaLUNidentifier,thephysicaldevicethatcarriesoutthetasks,andthetaskset.
ThisisthebasicunitaddressedforanI/OrequestintheSCSIarchitecture.
SophisticatedtapeandOpticaldeviceshavemorethanoneLUN,becausetheysupportmultiplemedia.
AdisknormallyconstitutesaLUN,butaRAIDarraycanbeconfiguredasonetoo.
Functionally,SCSIfollowsaclient-servermodelinitsarchitecture.
Theclient('initiator')makesanI/Orequest.
Thisrequest,asmentionedearlier,isaddressedtoaLUNofatarget.
ThistriggersataskontheservicedeliverymechanismwhichistheSCSIbus.
Theserver('target')carriesoutthetaskandsendstheresultsbackviathedeliverymechanism.
AHostBusAdapterisanexampleofaninitiator.
Adiskdriveisanexampleofatarget.
ThewidthofaSCSIbus(andhencethelimitonthenumberofperipheralsthatcanattachtoit)hasgoneupfrom8bitsforSCSI-1standard,to32bitsinSCSI3.
Thecommandsarepackagedina'CommandDescriptorBlock'(CDB).
ThelengthoftheCDBcanbebetween6to16bytes.
[16]SCSIbasedInternetstoragearchitecturesTheclientserverarchitectureofSCSIcombinedwiththeavailabilityofnetworkingtechnologyinspiredthedevelopmentofnetworkstorageprotocols.
Thefactthattheinitiatorandthetargetareentirelyindependententitiesoftheirown,communicatingonlythroughthebus,meansthattheycanevenexistacrossanetwork.
Aslongasthecommandsandresponsescouldbepackagedcorrectly,thenetworkcanbetheservicedeliverymechanism.
ProminentamongthesenetworkstorageprotocolsarethefollowingFCIP:FiberchanneloverIPThisisanIP-basedtunnelingprotocolforconnectinggeographicallydistributedFiberchannelStorageAreaNetwork(SAN)transparentlytobothFCandIP.
ThispreservesFiberchannelinfrastructureandinvestments.
ItfullysupportstheentireexistingFCinfrastructurebutextendsitoverlongdistances.
ItshouldbenotedthatthisisjustanarrangementtocreateanIPtunnelbetweenFiberchannelSANs.
ThereisnodirectcommunicationbetweenFCdevicesonbothsidesofthetunnel.
FCIPdevicesareattheedgeoftheSANs.
TheroleofIPbeginsattheFCIPdeviceononeendofthetunnel,andendsattheFCIPdeviceontheotherendofthetunnel.
TheFiberchannelpacketisencapsulatedinanIPpacket.
Thisencapsulationcreatesavirtualfiberchannellinkthatconnectsfiberchannelelementsandfabricchannel.
OnlytheFCIPgatewaysneedtobeawareoftheencapsulation.
Also,theIPisunawareoftheFCpayloadandtheFCfabricisunawareoftheIPencapsulation.
iFCPThisprotocolachievesbetterresultsbymergingmoreoftheFiberChannelandIPworlds.
WhileusingFCstoragedevices,thisprotocolallowsdirectcommunicationbetweenvariousFCdeviceslikeFiberchannelstoragearrays,HBAs,routers,switchesandHubs.
ThisisachievedbytheuseofiFCPgateways.
EachFiberChanneldevice's24-bitaddressismappedtoauniqueIPaddress,providingnativeIPaddressingforindividualFiberchannelInitiatorsandtargets.
ThetransportusedforreliabletransmissionbetweenthedevicesisTCP,insteadofFiberChannellowerlayertransport.
CommunicationbetweendevicesacrossanIPnetworkoccuroveraregularTCPconnectionandnotoveratunnel.
iSCSIThisisaTCP/IP-basedprotocolforestablishingandmanagingconnectionsbetweenIP-basedstoragedevices,hostsandclients.
Thisprotocolistheonlyoneamongthethreethatdoesnot'require'specialhardwareforitsoperation.
Theinventorsoftheprotocolsoughttouseasmuchoftheexistingnetworkingandstorageinfrastructureaspossible.
Asaresult,theresponsibilityofguaranteeddeliverywasentrustedtoTCP.
TheresponsibilityoffindingthedestinationwasdelegatedtoIProuters.
Whilesomesecurityhasbeenbuiltin,theburdenofdatasecuritywaslefttoIPsec.
OneofthefewresponsibilitieslefttotheiSCSIlayerwasthemakesureallthepacketshavebeenreceivedinthecorrectorder.
Thisisnecessarybecause,therecanbemorethanoneTCPconnectionbetweenagiveniSCSIinitiatorandthetargetpair.
TCPguaranteesthatpacketswithinoneconnectionarriveinthecorrectorder.
However,iSCSIneedstomakesurethatpacketsacrossconnectionsareinthecorrectorder.
Boththefunctionalityoftheinitiatorandthetargetcanbehandledbysoftwareimplementation.
SCSIcommandsanddataarepackagediniSCSI'ProtocolDataUnits'(PDUs),thatareinturnencapsulatedinsideTCP/IPheaders[17].
iSCSIcanbedeployedusingsoftwareinitiatorandtargets,andthehostsonwhichtheyresidecanbenetworkedusing'normal'NICsandtheotherIPnetworkinginfrastructure.
AnystoragedeviceonthetargetcanbepresentedasaSCSIdisktotheinitiator,thusmakingitcompatiblewiththeSCSIarchitectureandcommands.
ThesefeaturesmakeiSCSItheleastexpensiveandmosteasilydeployableprotocol.
TheavailabilityofgigabitcardsandTCPOffloadEngine(TOE)sthatgivesdataI/Ospeedscomparabletoothermechanisms[andlendscredibilitytoiSCSIasaviablecontendertotheotherremotestoragemechanisms[18][19][20]ISCSICommandprogressionbetweenInitiatorandtargetThecommandflowfromaniSCSIinitiatortoaniSCSItarget,initsmostbasicform,looksasinFigure13.
Figure13.
CommandflowinaniSCSIsetupTheiSCSIdevicedriveristhebeginningoftheiSCSIlayer.
InsystemswithoutadedicatediSCSIHBA,thedevicedrivercreatesthePDUandinvokesTCP/IP.
InsystemswithanHBA,theiSCSIlayerextendsintotheHBA.
TheiSCSIfunctionsontheHBAcreatethePDUs.
Theseoffloadedfunctionsin-turninterfacewiththeTCP/IPoffloadengine,whichisalsoontheHBA.
iSCSIProtocollayersTheprotocollayersunderlyingtheaboveprocesscanberepresentedasinFigure14.
Figure14.
DetailsoftheiSCSIlayeredmodelTheflowofcommandsanddatathroughtheabovelayerscanbesummarizedasfollows[22].
Tosenddatatoastoragedevice,theapplicationofchoiceinvokesa'write'APIontheinitiator.
Forreasonstobeexplainedlater,thecurrentthesisusesthe'sg_dd'utilityontheinitiator.
Atypicalsg_ddcommandusedinthecurrentthesislookslikesg_ddif=test_file_100MB.
txtof=/dev/scsi/host0/bus0/target0/lun0/discbs=1024bpt=1odir=1count=102400skip=0seek=0whereif=inputfilenameof=outputfilename.
Intheaboveexample,thedevicenameisbeinggiven,indicatingthatthefileneedstobecopiedontothedevice.
bs=blocksizebpt=blockspertransfercount=numberofblocksofblocksizegivenbythe'bs'option.
odir=theioctlO_DIRECTflag.
IndicatingthatthedeviceneedstobeopenedforwritingwithO_DIRECT=1.
ThisisthepreferredwayofopeningdevicesinLinux2.
6.
Thismakestheinternalbuffersusedbysg_ddtoaligntoamemorypageboundary.
ThismemoryalignmentisrequiredbybothrawdevicesandblockdevicesthatimplementO_DIRECT.
Aninterestingfacttonotehereisthat,duringtrials,withouttheodir=1option,sg_ddtransferredthecorrectnumberofbytes.
Butthechecksumascomputedby'cksum'wasinconsistentwiththatoftheinputfile.
skip=Intheinputfile,startreadingfromanoffsetgivenbythenumberofblockssetinthisoptionseek=Intheoutputfile,startwritingingfromanoffsetgivenbythenumberofblockssetinthisoption.
TheAPIwilldeliverthe'write'requesttotheSCSIlayer(theSCSIclassdriver).
Dependingontheapplication,thisissometimesdonethroughthefilesystem.
'sg_dd'bypassesthefilesystem.
The'cp'command,haditbeenusedtodothe'write'swoulddeliverthroughthefilesystem.
TheSCSIclassdriverbuildsaCommandDescriptorBlock(CDB)fortherequestandpassesitintoadevicedriverintheiSCSIprotocollayer.
ThelengthofaSCSICDBstartedat6BytesforSCSI-1andhasgrownto16bytesinSCSI-3.
Inthecurrentproject,theCDBusedbytheSCSIsub-systemwas10byteslong.
Figure15showsthestructureofa10byteCDB[21].
Figures16and17shows'Ethereal'screenshotsshowingthecontentsoftheCDBduringthetransferof1blockofdatatoandfromtheiSCSItarget.
NotethattheCDBisenclosedonlyinPDUsofopcode=1(CommandPDU).
Figure15.
Structureofa10-byteCDBFigure16.
Contentsofa10-byteCDBwhenwritingof1KtotargetFigure17.
Contentsofa10-byteCDBwhenreading1KfromtargetTheiSCSIprotocollayerplacestheCDBandotherparametersliketheLUNidentifierinaniSCSIPDUandinvokesTCP/IP.
TCPbreaksupthePDUintomultiplesegments,accordingtothesegmentsize,andplacesaTCPheaderonthem.
IPlayerinturnplacesanIPheader.
TheIPpacketwilloptionallypassthroughtheIPseclayerwheretheTCPpayloadandotherheaders/trailersareencryptedandauthenticatedappropriately.
TheIPpacketsaredeliveredtotheEthernetdatalinklayerwhichframesthepacketsinEthernetheadersandtrailers.
AtthetargettheEthernetframesarestrippedoffandtheremainingispassedintoupperlayers.
Ifemployed,IPsecwilloptionallyre-authenticatethedatatocomparewiththechecksumearlierpopulatedintheAuthenticationheader.
IffoundOK,thepacketsaredecryptedbasedontheSPIandotherdetailsprovidedintheESPheaders.
TheIPsecheadersandtrailersareremovedandthe'protocol'fieldintheIPheaderreset.
TheTCPandIPlayerseachcheckandstripofftherespectiveheadersandpasstheiSCSIPDUtotheiSCSIlayer.
TheiSCSIlayerextractstheCDBfromthePDUandsendsitalongwithotherapplicableparametersanddata,totheSCSIlayer.
TheSCSIdevicewillsendtheSCSI'write'requestandthedatatotheappropriateLU,basedontheCDBandotherinformationitjustreceived.
MotivationfortheprojectThefollowingarethereasonsforpursuingthecurrentthesisTheimportanceofbackups,andremotestorageforsecurityintoday'snetworkedworldcanhardlybeoverstated.
Ofthevariousoptionsavailable,iSCSIseemedthemostworthyofstudybecauseitsdesignsmartlymakesfulluseoftheuniversallyprovenstrengthsofexistingprotocolslikeTCP,IP,andIPsec,therebyreducingthecost,effortandtimeoflearning,setupanddeployment.
Thereappearstobeaglaringgapintoday'siSCSIsecurityconfigurationemployedinremotestorage.
TheencryptionmechanismavailableinIPsec,whileproven,availableandfullyacceptable,isbeingusedtoprotectdataonlyinpartofitsjourney–namelyintransit.
Additionalcostsarebeingincurredtoprotectthesamedataatrest.
Thereareexcellentopensourceprogramstoperformthefunctionsofinitiatorandtarget.
Anydisk–realorvirtual,canbemadetomasqueradeasaSCSIdisk.
Thismakesthesetupofatestbedveryeasy.
StagesiniSCSIinitiator-targetinteractionsNaming/AddressingTheaddressofanLUisthecombinationofitsIPaddress/DNSnameandaniSCSIname.
TheiSCSInameisthatoftheLogicalunitthatistheactualtarget.
FormatsofiSCSInameTherearetwocommonformatsofnaminganiSCSILU.
Eui(Enterpriseuniqueidentifier):ThisformatisknownasformatEUI-64.
ThisisthesameschemeasusedtoidentifyFCelementsuniquelyworldwide.
Atypicaleuilookslikeeui.
acde482334567abcdBasically,ithas'eui'followedby16hexdigits(64bits).
The64bitsareuniqueacrosstheworld.
Thefirst24bits(i.
e.
Acde48)istheuniquecompanyIDgiventoamanufacturerbytheIANAregistrationauthority.
Thelatter40bitsarecreatedbythemanufacturerbutuniquewithinacompany.
Iqn(iSCSIqualifiedname):Thisismeanttobemoreuserfriendlyandyetuniqueworld-wide.
Thisfollowstheformatiqn.
yyyy-mm.
dns_name_of_the_manufacturer_in_reverse:unique_name_within_companyAtypicalexamplelookslikeiqn.
1998-03.
com.
yc.
ajax:wonder:jumpThedefaultiSCSItargetportnumberis3260.
Thisisreliedonheavilyintheimplementationofthecurrentproposal.
SessionestablishmentandmanagementThelogicallinkorpipethatcarriesthecommandsanddatafromTCP/IPendpointsiscalledaniSCSIsession.
AsessionconsistsofatleastoneTCP/IPconnectionfromtheinitiatortothetarget.
Toenableenoughbandwidthbetweenthetwo,iSCSIsupportstheconceptof'MultipleConnectionsperSession'or'MC/S'.
TheinitiatorandtargetestablishandmaintainasessionbetweenthemthroughtheexchangeofaseriesofcommandscarriedbyPDUs.
AniSCSIPDUhasabasicpartoflength48bytes,knownasaBasicHeaderSegment(BHS).
APDUcanalsooptionallyhaveanAdditionalHeaderSegment(AHS)ofvariablelength.
But,giventheoptionspossiblewithintheBHSthereishardlyaneedforAHS.
ABHSlooksasinTable3.
Byte0123Bit012345670123456701234567012345670to3.
|I|Opcode4to7TotalAHSlength8to15LogicalUnitNumber(LUN)orOpcode-specificfields16to19InitiatorTaskTag(ITT)orOpcode-specificfields20to31Opcode-specificfields3247CommandDescriptorBlock(CDB)orOpcode-specificfieldsTable3:BasicHeaderSegment(BHS)ofaniSCSIPDUHeaderTheopcodeintheBHSstandsfor'operationcode'andconveysaspecificactiontakingplace.
Dependingonthetypeofactionpermissible,PDUsoriginateeitherfromthetargetortheinitiator.
Hencetheopcodescanbecategorizedintoinitiatoropcodesortargetopcodes.
OpcodesNumericalvalueofopcodeFunctionLoginrequestPDU0x03(3)LogoutrequestPDU0x06(6)NOP-Out0x0(0)SCSICommandrequest0x1(1)EncapsulatesaSCSICDBSCSIDataout0x05(5)OutputdataforwritesTaskmanagementfunction0x02(2)TextRequest0x04(4)IncludingSendTargetsusediniSCSIdiscoveryTable4:InitiatorPDUsOpcodesNumericalvalueofopcodeAsynchronousmessage0x32(50)LoginResponse0x23(35)Logoutresponse0x26(38)NOP-in0x20(32)Readytotransfer0x31(49)Reject0x3f(63)SCSICommandresponse0x21(33)CancontainstatusSCSIDatain0x25(37)InputDatafromReadsSNACKrequest0xA(10)Taskmanagementfunctionresponse0x22(34)Textresponse0x24(36)Table5:TargetPDUsThekeywordsthatwillbeencounteredintheexecutionoftheschemebeingproposedinthecurrentthesisareasfollows.
Foracomprehensivelistofkeywords,theirmeaningsandsignificancepleasereferto[16].
KeywordMeaningPDUinwhichthekeywordisfoundCSGCurrentStage.
DenotewhichofthethreeloginstagestheloginisatLoginNSGNextStageinthenegotiationphaseLoginCIDConnectionIDTheIDofeachofthe(possiblymany)ConnectionsinasessionITTInitiatorTaskTagTheIDforthetaskrequestedbytheInitiator.
ThisfieldisinallCommandPDUssothatthetarget'sresponsecanidentifywhichtasktheyareresponding.
Table6:KeywordsinvariousPDUsPhasesofiSCSIsessionofinterestinthecurrentthesisThefocusofthecurrentthesisisthespecialhandlingofuser-dataduringstorageandretrieval.
So,thediscussionbelowislimitedtoiSCSIactivityduringSessionmanagement(LoginandLogout)WritesReadsThereare3phasesintheestablishmentofasession,eachindicatedbyaninteger.
TheyaredescribedinTable7.
PhaseName0SecurityNegotiationsphase(SNP)1LoginOperationalnegotiationsphase(LONP)2Notused3Full-featurephase(FFP)Table7:PhasesinaniSCSIconnectionToestablishaloginconnection,theinitiatorsendsoneormore'LoginPDU'stotheinitiator,andthetargetrespondswithone'LoginResponsePDU'foreachLoginPDUitreceives.
AtypicalexchangeofPDUslooksasinFigure18.
Figure18,PDUexchangeduringaniSCSIloginTheCSG=SNPreferstothesecuritynegotiationsphase.
TheNSG=FFPinthefigurereferstotheinitiator'sdesirethatthenextstagebetheFullfeaturedphase.
The'T'isthe'Transitbit'thatindicatesthesendersreadinesstoswitchtothenextphase.
FullFeaturePhaseDuringthisphasetheactualdatatransferactivity,establishmentofadditionalconnections,andlogouttakesplace.
Errorhandlingandrecoveryalsotakesplaceduringthisphase.
iSCSI'Write'sWhendataiswrittentothetarget,itcanbesentin3ways.
AsapartoftheCommandPDU,as'Immediatedata':Inthiscase,theheaderthataccompaniesthedataisnota'Data-out'PDUAsapartoftheData-outPDUs,asunsoliciteddataInseparateData-outPDUs,sentinresponsetoan'R2T(readytotransmit)PDUfromthetargetassoliciteddata.
ThekeywordsusedinTable8havethefollowingmeanings.
R2TSN:ThesequencenumberofR2TPDU.
Itsvaluestartsat0andisincrementedby1eachtimeanR2TPDUissentforaspecificcommand.
Thisisa4-bytefieldinthePDUheader.
Themaximumvalueis232–1.
TTT:ThetargettransfertagisanIDthatthetargetassignstoeachR2TrequestitsendstotheInitiator.
Thisnumber,alongwiththeLUNiscopiedbytheInitiator,backintotheout-goingdata-PDUitsendsoutinresponse.
Thisinformationisusedinturnbythetargettoidentifythedataitreceives.
ITT:TheInitiatorTaskTagistheIDgivenbytheInitiatortoeachtask.
ThisvalueisreturnedbythetargetasapartofData-InPDUs,sothattheInitiatorcanidentifythecommandthathadoriginallyrequestedthedatathatjustcameinthePDU.
F:TheFinalBitissetto1inthelastinputdata-inPDUofasequenceina'read'.
ForData-outPDUs,thisissetto1inthelastData-outPDUinresponsetoanR2T.
DataSN:ForData-outPDUsthisisthesequencenumberofthePDUsbeingsentoutinresponsetoanR2T.
Itisa4bytefield.
Itsstartsat0andhasamaximumvalueof232.
ForData-inPDUsthisisthesequencenumberofthePDUbeingsentforthecommandidentifiedbytheITT.
ExpDataSN:ThisfieldinaSCSIcommandresponsePDUindicatesthenumberofPDUsthatthetargethassentinresponsetothecommand(towhichitisnowresponding).
InitiatorFunctionPDUTypeTargetFunctionalityCommandrequest(read)SCSICommand(read)(totarget)ReceivecommandandQueueitProcessOldCommandsR2TR2TSN=0,TTT=x(Toinitiator)ReadyfordataR2TR2TSN=1,TTT=y(Toinitiator)ReadyformoredataSendDataforR2TSN0SCSIData-outPDUDataSN=0,TTT=x,F=0(Totarget)ReceivepartofthedataforR2T0SendDataforR2TSN0SCSIData-outPDUDataSN=1,TTT=x,F=1(Totarget)ReceiverestofthedataforR2T0SendDataforR2TSN1SCSIData-outPDUDataSN=0,TTT=y,F=1(Totarget)ReceivethedataforR2T0SCSIresponse(Toinitiator)Finishprocessingwritecommandandsendstatus(andsenseifneeded)Table8:PDUexchangeduringaninitiator'write'iSCSI'Read'sWhendataisreadfromthetarget,thedataisreturnedinData-InPDUs.
Thedataisalwayssentonthesameconnectionthattherequestwasmadeon.
TheexchangeofPDUsforareadoperationlooksasinTable9InitiatorFunctionPDUTypeTargetFunctionalityCommandrequest(read)SCSICommand(read)(totarget)PreparedatatransferReceiveDataSCSIData-inPDUDataSN=0,F=0SendDataReceiveDataSCSIData-inPDUDataSN=1,F=0SendDataReceiveDataSCSIData-inPDUDataSN=2,F=1SendDataSCSIResponsePDU(ExpDataSN=3)(Toinitiator)SendStatusandSenseTable9:PDUexchangeduringaaninitiator'read'OtherPDUexchangerelevanttothethesisTheotherexchangeofdataincludesR2TPDUsthataresentfromthetargettorequestthattheinitiatorshouldtransmitwritedataandCommand-StatusresponsePDUs,whicharegeneratedatthetargetandsenttotheinitiator.
Chapter4DetailsoftheproposedenhancementTheessentialsofthescheme,proposedinchapter1,areasfollows.
WhentheinitiatorissendingiSCSIdatetothetargetInthe'sendingside'codeoftheIPseclayerontheinitiator,identifyandisolatetheuserdatainthenetworktrafficgoingtothetarget.
Encrypttherestofthetraffic(i.
e.
Alltrafficotherthantheuserdata)usingthestandardIPsecmechanism,usingkeysgeneratedandmanagedbytheIKE.
Useacustomkey,generatedindependentlyoftheIKEmechanism,toencrypttheuserdata.
Donotsharethiskeywiththetarget.
Savethiskeyforfutureusetodecryptthesameuser-payloadwhenitisreturned.
Atthetarget,decrypttheheadersusingstandardIPsecprocedure,butdonotattempttodecrypttheuserpayload.
PassitintheencryptedformtotheupperlayerssothattheSCSIlayercanwriteitasis(intheencryptedform)todisk.
WhentheinitiatoristryingtoreadtheiSCSIdatafromthetargetOnthetarget,encrypttheheadersusingstandardIPsecmechanism.
Donotattempttoencrypttheuserpayload.
Ontheinitiator,decrypttheheadersusingthekeysgeneratedandmanagedbyIKE.
Usethesecond,customkeyoriginallyusedtoencrypttheuserdata,todecryptthedata.
Inordertocomeupwithanimplementationofthisscheme,thepatternoftheflowofpacketsbetweentheinitiatorandthetarget,WITHOUTIPsecwasstudiedtounderstandtheexactsequenceofpackets–bothwhenwritingtothetargetandwhenreadingfromthetarget.
TheresultsfortheflowwhentheinitiatoriswritingtothetargetareshowninFigure17–ascreenshotofEthereal.
ThepatternwhentheinitiatorisreadingthesamedatafromthetargetisshowninFigure18.
Thestudythrewasurprise.
Whentheinitiatoriswriting,theuserpayloadiscarriedasapartofData-outPDUs.
Whentheinitiatorisreading,theuser-payloadiscarriedinaplain-vanillaTCPpacket.
ApacketwithaData-inPDUprecedesthispacket.
Evenmoresurprisingly,theDataSegmentLengthfieldoftheData-InPDUreflectsthelengthoftheuserpayload,eventhoughthepayloadisactuallycarriedbyaseparatepacket.
TheauthorcouldnotfindananswerforthisbehaviornorawaytochangeitsothataData-inPDUcontainstheuserpayload.
Hencethesolutionimplementedwasdesignedaccordingly.
TheproposedschemeentailschangestotheIPsec-specificcodeinthelinux2.
6networkstack.
Tounderstandhowtheactualcode-modificationschemewasarrivedat,ithelpstorecaphowdatawouldbehandledbytheIPseccodeinitsnativeform.
ThenativeIPsecoperationoniSCSITheIPsecschemeusedinthecurrentthesisiscalled'transport'mode.
ThismeansanESPheaderisinsertedbetweentheIPheaderandtheTCPheader.
The'protocol'fieldintheIPheaderischangedbytheIPseclayerto'50'toindicatethepresenceofanESPheaderfollowingtheIPheader.
Priortothe'encryption'partoftheIPseccode,this'protocol'fieldoftheipheaderwaspopulatedwith'6',whichis'TCP'.
ThisinformationissavedintheIPseclayer,beforethe'protocol'fieldisoverwrittenwith'50'.
Thesavedvaluewillbeenteredlaterinthelastbyteofthepaddingthatisgoingtobeaddedattheendofthepayload.
TheiSCSIheadertogetherwiththeuserdataformsthepayloadfortheTCPlayer.
TheTCPheaderplustheiSCSIpayload,inturnformsthepayloadfortheIPsecprotocol.
ThisIPsecpayloadispaddedsothatthetotallength(tcpheader+IPsecpayload+padding)isanexactmultipleoftheblocksizeoftheencryptionalgorithmbeingused.
Careistakentomakesurethatthepaddingisatleast2byteslong.
Thelastbyteofthepadding,issettotheprotocolIDsavedearlier.
Thelast-but-onebyteissettothetotalnumberofpaddingbytes(Hencetheneedtomakesurethepaddingisatleast2byteslong).
TheTCPheader,iSCSIheader,iSCSIpayloadandtheESPtraileraretogetherencryptedasoneunit.
ThepaddingformstheESPtrailer.
AnESPauthenticationtrailerisinsertedaftertheESP-trailer.
ThistrailercontainsthecryptographicchecksumofIpheader+espheader+tcpheader+iSCSIheader+iSCSIdata+esptrailer.
TheauthenticationtrailerisNOTencrypted.
Onthereceivingend,thecryptographicchecksumisrecomputedonthesamecomponentsasmentionedearlier.
ThisiscomparedtothevaluestoredintheESPauthenticationtrailer.
Thepacketisrejectediftheydonotmatch.
Iftheyarefoundtobematching,thecodeproceedstodecryptthetcpheader+iscsiheader+iscsidata+esptrailer.
Afterdecryption,theespheaderplacedbetweentheIPheaderandthetcpheaderisremoved.
The'50'inthe'protocol'fieldoftheIPheaderisreplacedbythevalueinthelastbyteofthepadding.
Thelast-but-onebyteofthetotalpayload(whichisthelengthofthepadding)givesthenumberofpaddingbytestobestripped.
Thefollowingpointsarenoteworthyinthecontextoftheaboveprocess.
Theabovereferencedpartofthenetworkstackthatdealswithencryption/decryptionandauthenticationofdataisoblivioustonatureofdataandcontentsitisprocessing.
IPsecdoesnotlookintothecontentsotherthantosavethe'protocol'fieldintheIPheader.
Ittreatstheuserpayloadandtheappropriateheaders(dependingonwhetherthemodeis'transport'or'tunnel')togetherasaunittobeencryptedordecrypted.
Theseaspectscauseproblemstotheproposedschemeofsegmentedencryption/decryption.
Thefollowingsectiondescribeshowtheseissueshavebeenmanagedinimplementingtheproposedscheme.
Howthenative-IPsecissuesaremanagedintheimplementationThestepsintheprocedurethatisbeingproposedinthisthesisareasfollows.
IdentifyiSCSIdata.
ThisisthefirststepintheprocessoftreatingtheiSCSIpayloaddifferentlyfromothertraffic.
iSCSIisanapplicationlayerprotocolandhencedoesnothaveaprotocolIDassociatedwithit.
TheonlywayforthecodeattheIPlayertoidentifyiSCSItrafficisbythe'destinationport'fieldintheTCPheaderinthetrafficandbythe'sourceport'intheTCPheaderinthetrafficgoingintheotherdirection.
ThisrequiresthattheIPseccodeparsethecontentsofeachTCPheader.
ThedefaultportfortheiSCSItargetis3260.
Thatnumberishard-codedintothecurrentenhancements.
EncrypttheheadersseparatelyTheproposalistoencryptthenon-datapartofiSCSItraffic,usingIPSeckeysgeneratedbytheIKEmechanism.
NotalliSCSIpacketsflowingthroughtheIPSeclayercarrytheuserpayload.
ThismeanstherearegoingtobetwokindsofiSCSIpacketsinwhichtheheadersareencryptedusingtheIKE-generatedkeysiSCSIpacketswhichdonotcarryanyuserdata.
Inthiscase,thepacketisroutedthroughthe'native'IPsecprocessing,wheretheTCP+iSCSIheaderistreatedasaunit.
Thepaddingiscomputedbasedonthealgorithm'sblocksizeandappendedattheendoftheunit.
TheunitisencryptedusingIKE-keys.
iSCSIpacketscarryinguserdata.
Inthesepackets,theTCPheaderandtheiSCSIheaderareagaintreatedasaunit.
However,thereisadifferenceinhowtheyareprocessedbeforeencryption.
Thepresenceofthepayloadfollowingtheheaderprecludesanypaddingattheendoftheheaders.
TheBHSoftheiSCSIheaderisfixedat48bytesandhencethereisnoroomattheendoftheiSCSIheader.
Thismeans,anypaddingneedstogoattheendoftheTCPheader,betweentheTCPandtheiSCSIheaders.
Tomakeroomforthepadding,theTCPheaderismovedsoastocreateagapbetweentheTCPheaderandtheiSCSIheader.
Thegapisthesamesizeasthenumberofbytesofintendedpadding.
Figure19demonstratestheprocedure.
Figure19.
PacketmodificationunderproposedschemeAsmentionedearlier,thepresenceofaniSCSIheaderinthesamepacketastheuser-payloadoccurswhenthedataisgoingfromtheinitiatortothetarget.
Inthecasewhenthedataisgoingfromthetargettotheinitiator,thereisnoiSCSIdata,buttheconcernstillremainsthesame–theTCPheaderplusiSCSIheaderneedstobelongenoughtobeanexactmultipleoftheencryptionblocksize.
Thesameideaasearlierisimplementedhereaswell–paddingisaddedattheendoftheTCPheaderafterpushingitaheadbythesamenumberofbytes.
Inbothcases,the'dataoffset'fieldintheTCPheaderisupdatedtoreflectthenewlength.
UpdatingTCPchecksums:Theproposedschemerequiresre-computationoftheTCPchecksumsimmediatelyafterthecustom-keyencryptionofthepayloadwhenthedataisgoingfromtheinitiatortothetargetandimmediatelyafterthecustom-keydecryptionofthepayloadwhenthedataisreceivedbytheinitiatorfromthetargetThefollowingistheexplanationofthere-computationofthechecksum.
Thesendingsideintheinitiator:BythetimethepacketgetstotheIPseclayer,thechecksumhasalreadybeencomputedintheTCPlayerandpopulatedinthe'check'fieldoftheTCPheader.
ThischecksumcoveredtheTCPheaderandthepayloadintheun-encryptedform(AttheTCPlayer,theuser-payloadgoingtothetargetisstillun-encrypted).
IntheIPseclayerundertheproposedscheme,twochangesoccur:TheTCPheaderhaspossiblychangedinlength.
Thepayloadisseparatelyencrypted,NOTtobedecryptedonthereceivingside.
Thismeans,whenthepayloadreachestheTCPlayeronthetarget,itisstillinanencryptedform.
TheTCPchecksumcomputedonthisencryptedpayloadwillbeatvariancewiththeearliermentionedTCPchecksumcomputedintheTCPlayeroftheinitiator.
Thiswillleadtorejectionofthepacket.
Toavoidthissituation,ontheinitiator,theTCPchecksumisrecomputedimmediatelyaftertheuser-payloadisencryptedbutbeforetheTCPheader+iSCSIheadercomboisencrypted.
TheTCPheaderisupdatedwiththenewchecksum.
WhenthispacketreachestheTCPlayeronthetarget,theTCPheaderplusiSCSIheaderwillhavebeendecryptedbytheIPseclayeronthetarget.
Thepayloadisstillintheencryptedform.
Now,iftheTCPlayerrecomputedthechecksum,itwillmatchthevaluecontainedintheTCPheader(ifthetransmissionwasgood).
ThereceivingsideoftheinitiatorTheconverseofthisprocesstakesplacewhentheinitiatorrequeststhedatafromthetarget.
IntheTCPlayerofthetarget,thechecksumcomputedwillcovertheTCPheader-iSCSIheadercomboandthepayloadinencryptedform.
ButthispayloadgetsdecryptedintheIPseclayeroftheinitiator,afterthepacketisreceived.
Now,iftheTCPlayerontheinitiatorrecomputedthechecksum,thevaluewillbeatvariancewiththevaluethatwasoriginallycomputedbythetarget.
Thiswillleadtorejectionofthepacket.
Toavoidthissituation,thechecksumisrecomputedintheIPseclayeroftheinitiator,assoonasthepayloadisdecrypted.
TheTCPheaderisupdatedwiththenewvalue.
Now,whentheTCPlayerontheinitiatorrecomputedthechecksum,thevaluewillmatchthenumbercontainedintheTCPheader.
Thereisaweaknessinthedescribedscenario.
IntheTCPlayerontheinitiator,therecomputedchecksumiscomparedNOTwiththevalueoriginallycomputedonthetarget,butwiththevaluecomputedonthesamehost(initiator)intheIPseclayer.
Evenifthetwonumbers,thechecksumintheTCPheaderandtherecomputedvalue,match,itdoesnotreallyprovethatthetransmissionbetweenthetwohostswaswithouterror.
ThisuncertaintyisremediedifESP-authenticationisusedalongwithencryption.
TheESPauthenticationdoesindeedcomparethechecksumvaluescomputedontwodifferenthostsandhencevalidatesthetrafficflow.
Inthenativeform,theIPseccodetreatsTCPheader+iSCSIheader+iSCSIdataasasingleunitandcomputesthepaddingrequired,basedontheformulatotallengthtobeencrypted=(tcpheaderlength+iscsihedaerlength+iscsidatalength+2+blksize-1)&~(blksize-1)(whereblksizeistheblocklengthfortheencryption)The'+2'takescareofthe2bytesneededattheendofthepadding–oneforthelengthofthepaddingandtheotherforthe'protocol'field.
ScopeoftheimplementedsolutionThesolutionimplementedcurrentlycandealwithfullblocksandcannotdealwithanarbitrarylengththatisnotanexactmultipleoftheencryptionblocksize.
Iftheinitiatortriestocopyafileofarbitrarylengthtothetarget,theIPseclayerontheinitiatorrunsintothesituationwhereitneedstopadthepayloadtobeanexactmultipleoftheblocksize,asisdoneinanyIPsecencryption.
However,theissuehereisthatunderthenewscheme,thepayloadisnotdecryptedatthetarget.
Asaresult,thepaddingremainswiththepayloadwhenlatterreachestheiSCSIlayer.
InsidetheiSCSIlayeronthetarget,thiscanleadtoproblemsbecausethetotallengthoftheencryptedpayload(noincludingthepadding)isatvariancewiththeDataSegmentLengthfieldinthePDUheader.
TherearetwooptionsatthisstagefortheiSCSItargetcode.
ExtractjustthenumberofbytesequaltoDataSegmentLengthfieldinthePDUheader.
Thismeansthelastblockoftheencryptedpayloadwillbebroken.
ThispayloadwillgetwrittentothediskbytheSCSIlayer.
Sincethelast'chunk'(afterall'full'blocksofblocklengtharetakenaway),isnolongercomplete,thiswillbreakthedecryptionschemewhenthedataisreadbacktotheinitiator.
Alsotheremainingbytesinthelastblocki.
e.
,theencryptedpaddingbyteswillremaininthetargetsinputbufferandwillbetreatedasapartofasubsequentbuffer.
Instead,theinitiatorcanchoosetomodifytheDataSegmentLengthfieldinthePDUheader,toreflecttheadditionalpadding.
However,thiswillcauseproblemsinthetarget'siSCSIcodebecause,thetargetexpectsashorterpayload.
Thetargethasitsowninternalrecordofwhatsizepayloadwasmutuallyagreedonduringsessionestablishment.
Thiswillconfusethetargetandmakeitenduprejectingthepacket.
Thetarget'siSCSIcodecanbechangedtoacceptthenewlength,butthisbreakstheinitiator'scodewhenthetargetsendsthenewlengthasdatareceived.
Thisisbecausetheinitiatorhasarecordoftheagreed-uponpacketlengthtoo.
Simplyaddingthepaddingbytesinthesendersideoftheinitiatorisnotpossible,becausetheinitiatordoesnotdealwithcharacterbufferscontainingpayload.
Itispassedscatter-gatherarraysfromtheSCSIlayer,thatit(iSCSIlayerintheinitiator)in-turnpasses'down'totheTCPlayer.
Afterpainstakingattemptstofindasolutiontothisproblem,itwasrealizedthatthegeneralcaseofarbitrarilylongiSCSIpacketsneedstobestudiedasaseparateproblem.
ItisexpectedthatchangeswillberequiredtotheiSCSIinitiatoraswellasthetarget.
SomechangesmightberequiredeventotheSCSIlayer.
Arbitrarilylongfilesneedfile-systemcommandssuchas'cp'towritetothetargetandtoreadthetarget.
Onstudyingthepacketflowpattern(asshownbyEthereal)correspondingtothe'cp'command,itwasdiscoveredthattheexchangeofPDUsissomewhatcounter-intuitive.
Data-inpacketsfromthetargettotheinitiatorwereobserved.
Itwasfeltthisdeservesaseparate,closerstudy.
Forthetestbedinthecurrentthesis,itwasdecidedtousefileswhoselengthisanintegermultipleofthefilesystemblocksize.
Ablocksizeof1024wasusedbecause,thisblocksizewasthemaximumthatcouldalsoaccommodateadditionalheadersandpaddinginsuchawaythatthetotallengthcouldstillcometobelessthantheMTUobserverinthetestbed(1470).
Inordertohaveapredictableflowofpackets,unsoliciteddata,aswellasimmediatedatawasdisabledintheconfigurationfile.
Figures20and21showtheEtherealoutput'forsg_dd'write'and'read'commands,thepacketpatternisasfollows.
EtherealPacketpatternforwritetotargetFigure20.
Packetsequencebetweeninitiatorandtargetduringa'write'EtherealPacketpatternforreadfromtargetFigure21.
Packetsequencebetweeninitiatorandtargetduringa'read'Becauseofthepeculiarityobserverdinthedata-inpackets,itwasfeltthattheopcodeisnotalwaysanindicatorofpayload.
Thesolutionistousethesg_ddutilitytowritedatatothetargetdiskfromtheinitiator.
Thiswasdonebecausethefocuswasongettingaproof-of-concepttowork.
Moreeffortisneededtoidentifytheexactsequenceofpacketswhenusingfilecommands.
Chapter5PerformancedataandanalysisTheproposedschemewasfirstimplementedonadevelopmenttestbedconsistingofvirtualmachinesrunningUserModeLinuxandlaterportedto'physical'machinessetupinthelab.
ThesectionsbelowincludetheperformancedataforseveralrunsofiSCSIdatatransferbetweentheUMLinitiatorandtarget,foravarietyoffilesizes.
Dataforsimilarrunsontheimplementationtestbedisincludedinthefollowingsections.
Thereasonsfordevelopingthesolutionfirstonthevirtualmachinesareincludedbelow.
RoleofUserModeLinuxAsmentionedearlier,theproposedschemeforasymmetricefficientIPsecwasimplementedfirstonadevelopmenttestbedusingvirtualmachines[25].
Theobviousbenefitofusingvirtualmachinesisthatiteliminatestheneedformultiplephysicalmachines,processors,harddisksetc–thusgreatlyreducingthecostofadevelopmenttestbed.
Useofvirtualmachinesalsomeantthattheinitialsetupwaseasierbecausetheauthorjusthadtostartwithonecopyoftherootfilesystem,loadthenecessaryutilities,andthenstart-upmultiplevirtualmachines,usingthe'Copy-on-wrote'(COW)scheme.
Subsequently,twoseparatecopiesoftherootfilesystemweremadeasanextraprecautionduringbackups.
Evenso,theCOWfileswerestillusedwitheachofthefilesystemstoallowroomforany'disastrous'configurationerrors.
TheCOWschememeanttherewasmoreroomfortrial-and-error.
TherewereseveraloccasionsduringthedevelopmentprocessonwhichtheauthorcouldrestorethefilesystemtoaknownstatesimplybydeletingacorruptedCOWfile.
ThemoredirectbenefitsofUMLvirtualmachinestotheactualimplementationoftheproposedschemecanbesummarizedasfollows.
TheabilitytodebugiSCSImodulesasapartofUMLmeantthattheauthorcouldtracethepathofdatapacketsallthewayfromtheapplicationlayerintotheIPlayer.
ThishelpedgreatlyinunderstandinghowiSCSIworksandinteractswiththeotherlayers.
Asanextensionoftheabovecapability,bothoftheiSCSIhosts–i.
e.
theInitiatorandtheTargetcouldbedebuggedsimultaneously(usingtwodifferentgdbinstances).
Thismeantthatthemovementofadatapacketcouldbetracedallthewayfromthedatalayerononehost(Initiatorortarget),tothedatalayeroftheotherhost(targetorInitiatorrespectively).
Thiswasfelttobethesinglebiggestbenefitofusingvirtualmachinesduringthedevelopmentprocess.
Thedevelopmentprocessinvolvedrestartingthehostsinnumerably.
Thedurationittakestorebootavirtualmachineislessthanthattorestartarealmachineandhencethisindirectlycontributedtospeedingupthedevelopmentprocess.
Figure22showsaschematicofthevirtualtestbedusedinthisproject.
Figure22.
AschematicoftheUMLtestbedusedinthecurrentthesisPerformanceAnalysisThegoalsoftheproposedschemeareToeliminatethesituationswheredataexistsinnon-encryptedformoutsideoftheInitiator.
Toachievetheabovewhileminimizingthenumberoftimesthedataisencrypted/decryptedTomaximizesecuritybyencrypting/authenticatingalltheheadersusedduringtransmission.
TheeffectivenessoftheproposedschemeiscomparedtothescenariowherethedataistransmittedusingIPsecandencryptedanddecryptedatthetargetsite.
ThisscenariohasearlierbeenshowninFigure2.
Sincethecurrentimplementationhasbeendesignedtoprocessonly1024bytesofdataineachTCPsegment,thesamepayloadsizewillbeappliedforbothcases.
ItshouldbenotedthattheschemeshowninFigure4isaslightlydifferentoptiontoapproximatetheproposedscheme.
However,thenumbersforthatschemewillbeidenticaltotheoneforschemeinFigure2(detailedbelowinTable10).
ComputationaldetailsoftheavailableschemeTheavailablealternativeinvolvesthefollowingcomputations,givenintermsof16byteblocks–theblocksizefortheAESencryptionalgorithm.
Table10reportstherespectivedurationstakenforencryptionanddecryptionduringtheround-tripofasingleTCPsegmentof1024bytes.
Inthetable,theTCPheaderisshownasconsistingoftwo16-byteblocks.
Thishasbeendonefortworeasons.
Intheproposedscheme,theTCPheader+iSCSIheaderunitneedstobeanintegermultipleoftheblocksize.
GiventhattheiSCSIheaderisfixedat48bytes(whichhappenstobeanintegermultipleof16bytes),eveniftheTCPheaderweretohavethesmallestpossiblesizeof20bytes,theTCPheaderstillneedstobepaddedwithof12bytessothatthesumofTCPheadersize+iSCSIheadersizecomestobeanintegermultipleoftheblocksize.
Incidentally,theTCPheaderonthevirtualmachineswasindeedobservedtobe32byteslong.
Fortheotherscheme,eveniftheTCPheaderweretobethesmallestpossiblesizeof20bytes,thefactremainsthatthetotalofTCPheader+iSCSIheader+payloadneedstobepaddedtobecomeanintegermultipleof16bytes.
Thetotalnumberof16-byteblocksdoesnotchange.
Fromtheabovenumbers,itisobviousthattheproposedschemeisexpectedtotakeonly36%(74/202)oftheotherscheme.
Thisgaininefficiency,combinedwiththefactthatthedataneverisleftunencryptedoutsideoftheinitiator,makestheproposedschemeattractive.
PortionofthepacketAvailablealternativeProposedschemeNumberof16-byteblocksencryptedordecryptedWhereandhowencrypted/decryptedNumberof16-byteblocksencryptedordecryptedTCPheader2Initiator,encryptedaspartofIPsec2Initiator,encryptedaspartofIPseciSCSIheader3Initiator,encryptedaspartofIPsec3Initiator,encryptedaspartofIPsecPay-load64Initiator,encryptedaspartofIPsec64Initiator,encryptedaspartofIPsecTCPHeader2Target,decryptedaspartofIPsec2Target,decryptedaspartofIPseciSCSIHeader3Target,decryptedaspartofIPsec3Target,decryptedaspartofIPsecPayload64Target,decryptedaspartofIPsec0NodecryptionattargetPayload64Target,encryptedaspartofthird-partyre-encryption0NoencryptionPayload64Target,decryptedinpreparationfortransfertoInitiator0NodecryptionTCPheader2Target,encryptedaspartofIPsec2Target,encryptedaspartofIPseciSCSIheader3Target,encryptedaspartofIPsec3Target,encryptedaspartofIPsecPayload64Target,encryptedasapartofIPsecduringtransmissiontoInitiator0NoencryptionPayload64Initiator,decryptedasapartofIPsec64Initiator,decryptedasapartofIPsecTCPHeader2Initiator,decryptedaspartofIPsec2Initiator,decryptedaspartofIPseciSCSIHeader3Initiator,decryptedaspartofIPsec3Initiator,decryptedaspartofIPsecTotal202Encrypted74Encrypted202Decrypted74DecryptedTable10.
Numberof16-byteblocksencryptedduringround-tripof1TCPsegmentPerformancedataoftheproposedschemeonaUMLtestbedTables11-16showstheactualdatafordatatransferoffilesofvarioussizes.
Wherethenumbersaregivenintheform'a+b=c','a'and'b'areforwritingandreadingrespectively.
Insomecolumnsofthetablesfor1Kand10K,thereisasecondsetofnumbersshownhighlightedingray.
Thesenumbersarefromrunswhereanewrunaftersomedurationofinactivityresultedinslightlyhighernumbers.
Repeatedattemptsatthesamerunsproducednumbersthatareconsistentwiththeother(non-grayed-out)numbersinthesamecolumn.
SimilarvariationinnumbershasNOTbeennoticedforfilesizeshigherthan10K.
Thesenumbersareincludedhereonlyforcompleteness.
ThesehavenotbeenincludedwhileplottingthegraphsinFigures17-18.
Time->(sec)SampleRunWriting+Readingwithoutanyencryption(A)Writing+ReadingwithNativeIPsec(B)EncryptionwithOpenSSL(C)DecryptionwithOpenSSL(D)(B+C+D)Writing+ReadingunderProposedscheme10.
03+0.
03=0.
060.
1+0.
06=0.
160.
04+0.
04=.
080.
12+0.
07=0.
190.
1030.
1040.
2860.
3970.
12+0.
06=0.
1820.
04+0.
03=0.
070.
09+0.
07=0.
160.
03+0.
04=0.
070.
12+0.
07=0.
190.
0850.
0880.
2430.
3630.
16+0.
05=0.
2130.
03+0.
03=0.
060.
12+0.
08=0.
200.
05+0.
03=0.
080.
07+0.
08=0.
150.
0890.
0870.
0860.
0860.
3230.
2550.
06+0.
05=0.
1140.
03+0.
06=0.
090.
04+0.
06=0.
10.
0870.
0870.
2740.
1+0.
04=0.
1550.
04+0.
05=0.
090.
04+0.
05=0.
090.
0840.
0910.
2650.
04+0.
05=0.
0960.
05+0.
03=0.
080.
17+0.
086=0.
2560.
0880.
0920.
4360.
06+0.
06=0.
1270.
06+0.
03=0.
090.
17+0.
03=0.
20.
0850.
0870.
3720.
05+0.
05=0.
1Table11.
PerformanceoftheUMLtestbedwhentransferringa1KfileTime-->(sec)SampleRunWriting+Readingwithoutanyencryption(A)Writing+ReadingwithNativeIPsec(B)EncryptionwithOpenSSL(C)DecryptionwithOpenSSL(D)(B+C+D)Writing+ReadingunderProposedscheme10.
08+0.
07=0.
150.
10+0.
11=0.
210.
08+0.
06=0.
140.
14+0.
09=0.
230.
110.
110.
0870.
10.
3370.
440.
08+0.
09=0.
1720.
07+0.
05=0.
120.
13+0.
08=0.
210.
12+0.
09=0.
210.
090.
0910.
3910.
3910.
09+0.
06=0.
1530.
07+0.
05=0.
120.
12+0.
09=0.
210.
06+0.
06=0.
120.
11+0.
12=0.
230.
0860.
0910.
0930.
090.
2990.
4110.
11+0.
06=0.
1740.
08+0.
05=0.
130.
13+0.
08=0.
210.
07+0.
06=0.
130.
14+0.
15=0.
290.
0850.
0880.
3030.
4630.
17+0.
07=0.
2450.
07+0.
07=0.
140.
09+0.
07=0.
160.
0950.
090.
3450.
11+0.
07=0.
1860.
09+0.
07=0.
160.
09+0.
11=0.
20.
0890.
0860.
3750.
12+0.
09=0.
2170.
09+0.
06=0.
150.
09+0.
08=0.
170.
0850.
0910.
3460.
11+0.
08=0.
19Table12.
,PerformanceoftheUMLtestbedwhentransferringa10KfileTime-->(sec)SampleRunWriting+Readingwithoutanyencryption(A)Writing+ReadingwithNativeIPsec(B)EncryptionwithOpenSSL(C)DecryptionwithOpenSSL(D)(B+C+D)Writing+ReadingunderProposedscheme10.
45+0.
32=0.
770.
54+0.
38=0.
920.
1680.
1381.
2660.
53+0.
36=0.
8920.
49+0.
37=0.
860.
59+0.
40=0.
990.
1050.
1121.
2070.
55+0.
35=0.
9030.
47+0.
34=0.
810.
58+0.
37=0.
950.
1010.
0951.
1460.
56+0.
37=0.
9340.
54+0.
28=0.
820.
59+0.
35=0.
940.
0930.
1231.
1560.
51+0.
34=0.
8550.
48+0.
32=0.
80.
51+0.
34=0.
850.
0940.
0971.
0410.
49+0.
35=0.
8460.
48+0.
29=0.
770.
56+0.
4=0.
960.
0990.
0971.
1560.
5+0.
33=0.
8370.
44+0.
27=0.
710.
52+0.
32=0.
840.
10.
1031.
0430.
5+0.
35=0.
85Table13.
PerformanceoftheUMLtestbedwhentransferringa100KfileTime->(sec)SampleRunWriting+Readingwithoutanyencryption(A)Writing+ReadingwithNativeIPsec(B)EncryptionwithOpenSSL(C)DecryptionwithOpenSSL(D)(B+C+D)Writing+ReadingunderProposedscheme14.
51+2.
44=6.
954.
57+3.
09=7.
660.
3050.
2108.
1754.
92+3.
76=8.
6824.
95+2.
65=7.
64.
84+3.
62=8.
460.
1940.
1858.
8394.
68+3.
11=7.
7934.
02+2.
7=6.
724.
55+3.
09=7.
640.
1830.
198.
0135.
00+3.
18=8.
1843.
87+2.
44=6.
314.
71+3.
13=7.
840.
1820.
1848.
2064.
6+3.
03=7.
6353.
90+2.
54=6.
444.
53+3.
03=7.
560.
2650.
648.
4654.
62+3.
01=7.
6363.
89+2.
47=6.
364.
55+3.
12=7.
670.
1890.
1938.
0524.
63+3.
04=7.
6773.
99+2.
39=6.
384.
62+2.
87=7.
490.
1810.
1897.
864.
61+3.
0=7.
61Table14.
PerformanceoftheUMLtestbedwhentransferringa1MfileTime->(sec)SampleRunWriting+Readingwithoutanyencryption(A)Writing+ReadingwithNativeIPsec(B)EncryptionwithOpenSSL(C)DecryptionwithOpenSSL(D)(B+C+D)Writing+ReadingunderProposedScheme138.
26+23.
77=62.
0347.
49+32.
75=80.
240.
9411.
06582.
24650.
37+33.
61=83.
98240.
91+25.
04=65.
9546.
25+33.
14=79.
390.
9561.
07281.
41846.
13+32.
96=79.
09338.
55+25.
52=64.
0244.
97+29.
57=74.
540.
9571.
05176.
54850.
04+33.
16=83.
2438.
38+23.
85=62.
2347.
27+30.
15=77.
420.
9251.
06179.
40646.
11+30.
36=76.
47552.
78+24.
84=77.
6244.
89+29.
76=74.
650.
99210.
5776.
69946.
29+29.
95=76.
24638.
37+24.
68=63.
0545.
14+30.
23=75.
370.
9451.
19677.
51146.
28+30.
12=76.
4738.
50+24.
05=62.
5544.
92+28.
82=73.
740.
9761.
01575.
73146.
26+30.
19=76.
45Table15.
PerformanceoftheUMLtestbedwhentransferringa10MfileTime->(sec)SampleRunWriting+Readingwithoutanyencryption(A)Writing+ReadingwithNativeIPsec(B)EncryptionwithOpenSSL(C)DecryptionwithOpenSSL(D)(B+C+D)Writing+ReadingunderProposedScheme1394.
0+254.
84=648.
84458.
09+294.
93=753.
0217.
718.
2788.
92476.
71+305.
94=782.
652375.
99+236.
14=612.
04450.
77+296.
49=747.
1712.
9118.
7778.
78472.
86+310.
0=782.
863374.
78+235.
16=609.
94461.
72+297.
74=759.
4614.
7116.
47790.
64468.
79+308.
44=777.
234385.
76+238.
69=624.
45469.
47+302.
66=772.
1313.
06318.
827804.
02461.
16+304.
32=765.
485423.
02+250.
52=673.
54453.
46+293.
55=747.
0113.
02716.
8776.
837461.
71+300.
58=762.
296389.
05+245.
27=634.
32454.
48+302.
09=756.
5713.
1618.
15787.
88461.
62+301.
53=763.
157387.
07+241.
55=628.
62452.
52+302.
28=754.
813.
46218.
59786.
852461.
27+301.
28=762.
55Table16.
PerformanceoftheUMLtestbedwhentransferringa100MfileFigures23-25showthesameresultsinagraphicalform.
Toaccommodatethewiderangeofdurations(aboutatenthofasecondfora1Kfiletoabout800secondsfor100MB),theplotsareshownagainsttwologarithmicY-axes.
Thedurationsforfilesizes1K,10Kand100KaretobereadagainsttheY-axisontheleft,whereasthosefor1M,10Mand100MaretobereadagainsttherightY-axis.
Figure23.
PerformanceonUMLtestbedundercurrentlyavailablealternativeFigure24.
PerformanceonUMLtestbedundertheproposedschemeFigure25showstheperformanceofthevariousschemesofiSCSIcommunication-noIPsec,IPsec+client-siteencryption/decryption,proposedschemeasafunctionofthefilesize.
TheYaxisislogarithmic.
Forthesakeofclarity,theaveragedurationsforeachfilesizehavebeenusedinthisplot.
Figure25.
PerformanceofthedifferentschemesofiSCSIcommunication(onUMLtestbed)AnalysisofresultsfromUMLtestbedResultsinFigures24-26showthedurationsfortheproposedschemebeingclosertothecasewhenthereisnoIPsecincommunication,thantothecasewherethereisIPsec+encryption/decryption.
However,theydonotreflecttheexpectedgainsinperformance.
Thisisattributedtothefactthattheresultsarefordatatransferbetweenvirtualmachineswhichareaffectedbyfactorslikenumerouscontextswitches.
Thefactthatthe'Write'sontheInitiatorcanalsoaffecttheperformanceof'read'sonthetargetisalsoapointtonote.
PerformancedataoftheproposedschemeonthelabtestbedTables17-22showtheresultsforthesametestcaseswhenrunonthelabtestbed.
Duringthetestsonthese'physical'machinesitwasnoticedthattheskbufferscarryingthedatapacketsarenon-linear-i.
e.
TheIPandTCPheadersinthe'header'portionoftheskbuffer,andtheiSCSIheaderanddatainthe'paged'portion.
Thisisunlikethesituationinthedatatransferbetweenvirtualmachineswherethepacketwasfoundtobelinear.
Fortheresultspresentedinthissection,acallto'skb_linearize()'wasaddedtothecodetolinearizetheskbintheesp_output()methodontheinitiatorandthetarget.
Thismakesacopyoftheoriginalskbandhenceaddsaperformanceoverhead.
Anbettersolution,instead,willbetoencrypt/decryptthepacketin3separateparts–i.
e.
TCP+IPheaders,iSCSIheaderandiSCSIpayload.
Thisismentionedin'FutureDirections'.
Tobeabletoestablishacomparableworkloadforcomparisonofperformance,theabovecallwasaddedeventothe'native'ipseccode.
Time->(sec)SampleRunWriting+Readingwithoutanyencryption(A)Writing+ReadingwithNativeIPsec(B)EncryptionwithOpenSSL(C)DecryptionwithOpenSSL(D)(B+C+D)Writing+ReadingunderProposedScheme10.
03+0.
000.
01+0.
000.
0660.
0210.
0970.
02+0.
0420.
03+0.
020.
03+0.
020.
0360.
0230.
1090.
02+0.
0430.
02+0.
020.
01+0.
00.
0170.
0170.
0440.
04+0.
0240.
03+0.
030.
02+0.
020.
0190.
0230.
0820.
03+0.
0250.
01+0.
000.
02+0.
020.
030.
0310.
1010.
03+0.
0260.
03+0.
020.
03+0.
020.
2260.
0160.
2920.
05+0.
0470.
04+0.
020.
03+0.
020.
0190.
0180.
0870.
02+0.
02Table17.
Performanceofthelabtestbedwhentransferringa1KfileTime-->(sec)SampleRunWriting+Readingwithoutanyencryption(A)Writing+ReadingwithNativeIPsec(B)EncryptionwithOpenSSL(C)DecryptionwithOpenSSL(D)(B+C+D)Writing+ReadingunderProposedScheme10.
02+0.
010.
03+0.
010.
0180.
0170.
0750.
04+0.
0320.
05+0.
030.
04+0.
030.
0180.
0170.
1050.
07+0.
0330.
06+0.
020.
04+0.
010.
0170.
0170.
0840.
04+0.
0340.
05+0.
040.
05+0.
040.
0180.
0170.
1250.
06+0.
0350.
04+0.
010.
05+0.
030.
020.
0170.
1170.
04+0.
0560.
06+0.
020.
04+0.
030.
0180.
0180.
1060.
05+0.
0570.
03+0.
020.
05+0.
040.
0180.
0230.
1310.
04+0.
03Table18.
,Performanceofthelabtestbedwhentransferringa10KfileTime-->(sec)SampleRunWriting+Readingwithoutanyencryption(A)Writing+ReadingwithNativeIPsec(B)EncryptionwithOpenSSL(C)DecryptionwithOpenSSL(D)(B+C+D)Writing+ReadingunderProposedscheme10.
14+0.
120.
15+0.
10.
0320.
0280.
310.
16+0.
1320.
13+0.
110.
16+0.
110.
0340.
0440.
3480.
17+0.
1330.
14+0.
10.
14+0.
10.
0280.
0240.
2920.
18+0.
1340.
14+0.
10.
17+0.
130.
0320.
0440.
3760.
18+0.
1350.
13+0.
10.
17+0.
130.
0310.
0440.
3750.
16+0.
1360.
14+0.
10.
18+0.
140.
0420.
030.
3920.
18+0.
1570.
15+0.
10.
16+0.
140.
0310.
0230.
3540.
17+0.
13Table19.
Performanceofthelabtestbedwhentransferringa100KfileTime->(sec)SampleRunWriting+Readingwithoutanyencryption(A)Writing+ReadingwithNativeIPsec(B)EncryptionwithOpenSSL(C)DecryptionwithOpenSSL(D)(B+C+D)Writing+ReadingunderProposedscheme10.
97+0.
741.
36+0.
990.
1170.
112.
5771.
37+1.
0120.
97+.
0781.
36+1.
020.
1010.
112.
5911.
35+1.
030.
98+0.
741.
36+1.
010.
1180.
1132.
6011.
34+0.
9940.
96+0.
741.
37+1.
040.
1020.
112.
6221.
34+1.
050.
98+0.
731.
38+1.
040.
1130.
1092.
6421.
35+1.
060.
97+0.
751.
38+1.
040.
120.
1052.
6451.
34+1.
0170.
98+0.
751.
38+1.
040.
0970.
1142.
6311.
34+1.
03Table20.
PerformanceoftheLabtestbedwhentransferringa1MfileTime->(sec)SampleRunWriting+Readingwithoutanyencryption(A)Writing+ReadingwithNativeIPsec(B)EncryptionwithOpenSSL(C)DecryptionwithOpenSSL(D)(B+C+D)Writing+ReadingunderProposedScheme19.
26+6.
9913.
08+9.
890.
8170.
77124.
55813.
18+9.
6729.
25+7.
1214.
25+10.
00.
8150.
7725.
83513.
09+9.
8439.
19+7.
122.
08+10.
090.
8190.
77133.
7613.
04+9.
7849.
17+7.
0914+9.
880.
8170.
76625.
46312.
99+9.
6059.
16+7.
0913.
22+9.
70.
820.
7725.
5813.
06+9.
7769.
18+7.
0513.
19+9.
880.
8210.
75424.
64513.
05+9.
7879.
19+7.
1413.
28+9.
870.
8180.
7724.
73813.
04+9.
64Table21.
PerformanceoftheLabtestbedwhentransferringa10MfileTime->(sec)SampleRunWriting+Readingwithoutanyencryption(A)Writing+ReadingwithNativeIPsec(B)EncryptionwithOpenSSL(C)DecryptionwithOpenSSL(D)(B+C+D)Writing+ReadingunderProposedScheme191.
33+71.
07129.
92+98.
888.
94210.
018247.
76129.
29+97.
45291.
74+71.
1133.
67+99.
68.
9869.
86252.
116128.
08+96.
48391.
27+71.
56141.
21+101.
528.
9239.
744261.
397128.
72+96.
09491.
18+70.
63131.
26+100.
348.
9219.
712250.
233128.
83+96.
49591.
64+70.
83130.
65+100.
858.
8959.
795250.
19128.
54+95.
1691.
85+70.
73130.
52+99.
619.
210.
309249.
639129.
6+97.
72791.
91+70.
46133.
78+99.
619.
7039.
7472525.
84129.
58+95.
74Table22.
PerformanceoftheLabtestbedwhentransferringa100MfileFigures26–28showthedurationtakenforthevariousfilesizeswith,andwithout,IPSec(nativeandproposed).
Thepatternsaresimilartotheplotsshownaboveeventhoughtheactualdurationsareshorter.
Figures29-30showperformancegainsforfilesizes1K–100Kand1M–100M.
Figure31presentstheaveragedurationsforallsamplesateachfilesizewith,andwithout,IPSec.
Figure26.
PerformanceonthelabtestbedwithoutIPSecFigure27.
PerformanceonthelabtestbedundercurrentlyavailablealternativeFigure28.
PerformanceonthelabtestbedundertheproposedschemeFigure29.
Performancegainunderproposedschemeforfilessizes1K-100KFigure30.
Performancegainunderproposedschemeforfilesizes1M-100MFigure31.
PerformanceofthedifferentschemesofiSCSIcommunication(onLabtestbed)AnalysisofresultsfromthelabtestbedFigures30and31showtheperformancegainsbecauseoftheproposedscheme.
Theperformancegainwascomputedusingthefollowingformula.
Performancegain=((RoundtriptimewithnativeIPSec+Timeforencryptionanddecryptionattarget)–(Roundtriptimewithproposedscheme))dividedby((RoundtriptimewithnativeIPSec+Timeforencryptionanddecryptionattarget)–(RoundtriptimewithoutIPSec))Figures30showthat,forfilesizesupto100Kbytes,theperformancenumbershaveawiderange.
Thiscanbeattributedtothefactthatthedurationsaresmallenoughtobeskewedbyslightchanges.
HoweverfromFigure31,itcanbesafelyconcludedthat,asthefilesizeincreasesfrom1Mandon,theperformancegainsgravitatetowards25%-30%range.
However,thisislessthantheexpected65%gainasmentionedearlier.
Runningaprofilerontheimplementationoftheproposedschememightthrowmorelightonwhetherthereisroomforimprovement.
Chapter6LessonsLearntiSCSItargetandInitiatorarenotspecificallydesignedforusewithvirtualmachines.
So,changesneededtobemadetothemakefilestomakethemworkwiththeUMLs.
TheiSCSI_transportcodewithinthelinuxkernelisconfigured,bydefault,tobuildthecodeasastaticpartofthekernel.
TheiSCSIinitiatorcontainsmodifiedversionsofthesamefunctionality,builtasamodule.
Attemptstoinstallthismoduleresultedintheerror/usr/src/iscsi/open-iscsi/svn/kernel/scsi_transport_iscsi.
ko':-1File>existsbecausethestatic(in-kernel)partoftheiSCSI_transportcode,alreadyloaded,hadaconflictwiththemodulethatistryingtoload.
ThispreventedtheiSCSIinitiatorfromrunningatall.
Thisproblemwasremediedbychangingthekernelconfigspecsothatthekernel'sversionoftheiSCSI_transportcodewasbuiltasamodule('m'insteadofa'*'in.
config).
Debuggingmodulesinusermodelinuxprovedtobeverytricky.
Portionsoftheprocedurewerefounddocumentedontheinternet.
Someinvolvedtheuseofaphysicalmachinewhiletheothersinvolvedtheuseofkgdbwhichisnotasuser-friendlyasgdb.
However,nonewereactuallycapableofdebuggingmodulesofathird-partyapplicationlikeiSCSIInitiatorortheiSCSItargetusingvirtualmachines.
TheprocedureneededtobearrivedatafterputtingtogetherthevarioustoolsdetailedinAppendixD.
TheRe-computationofTCPchecksumsasdescribedintheproposedschemewasyetanotherobscureissuethatinvolvedthoroughdebuggingofthelinuxnetworkstacktounderstandwhyalliSCSItrafficfromtheinitiatortothetargetwasgettingrejected.
Arelatedissuewastheactualfunctioncallstomaketoperformthere-computation.
GiventhenumerousoptionsavailableinlinuxforcomputationofTCPchecksumsundervariousconditions,figuringouttherightcombinationoffunctionstouseinvolvedextensivetrialanderror.
Duringtheinitialeffortstodeveloptheimplementation,theauthortriedtomakethetargetdiskaccessibletotheinitiatorbyusingthe'mount'commandtomountthetargetiSCSIdiskatamountpointontheinitiatorandthenusingthe'cp'commandtotransferthefilefromtheinitiatortothetarget.
Bothofthesecommandsresultininternalfilesystemcallsthatresultinacounter-intuitive(totheuninitiated)sequenceofiSCSIpackets.
(Afterrepeatedqueriesintheopen-iSCSIgroup,theauthorcametoknowofsuchabehavior).
Thatiswhyadecisionwasmadetousethe'dd'utility.
However,eventheuseof'dd'didnothelpentirelybecauseitdoesnotofferenoughcontrolonthegranularityofdataattemptedtobetransferred.
Thisresulted,again,inanunpredictablepatternofpacketflow.
Queriesontheopen-iscsi.
orggroupledtheauthortousethe'sg_dd'utilitywiththe'bpt=1'option(blockspertransfer=1)thatresultedinapredictableflowpatternofpackets.
AnotherissuethattookalongtimetoresolvewastheintricatewaythepayloadsizeisusedintheSCSIlayer,iSCSIinitiatorandiSCSItargetandIPseclayer.
Thisissuecameintorelevancewhen,initially,attemptsweremadetotransfer'cp'filesofarbitrarylengthbetweentheinitiatorandthetarget.
TheseresultedinthedatapassingtheTCPlayerbutgettingrejectedintheiSCSIlayer.
SteppingthroughthecoderevealedthatthepaddingofdataforencryptionintheIPseclayerontheinitiator(underthemodifiedscheme)wasresultinginadatalengththatisatvariancewithwhattheiSCSIinitiatorandtargetunderstoodtobepassingbetweenthem.
Thisrecognitionledtothedecisiontotransferonlypayloadsthatareintegermultiplesoftheencryptionblocksize.
However,therearesomeotherissuesregardingtheactualdatasizescommunicatedbetweentheSCSIlayerandiSCSIlayerthatarenotyetunderstoodbytheauthor.
Hencethedecisionwasmadetotransferdataonlyinmultiplesof1Ksizes.
Chapter7FutureDirectionsTheauthorhasthefollowingfutureeffortstosuggestModifytheimplementationbyreplacingthecalltoskb_linearlize()withthefollowing–Encryptthepacketinthreepartsinsteadoftwo.
TheTCPheaderwhichresidesinthe'header'portionoftheskbneedstobeencryptedseparately,paddingitifnecessarysothatthelengthcomestobeanintegralmultipleoftheencryptionblocksize.
TheiSCSIheaderatthebeginningof'paged'portionoftheskbneedstobeencryptedasasecondchunk.
ThekeyusedfortheTCPandiSCSIheadersshouldcontinuetobetheIKE-managedkey.
Thepayloadneedstobeencryptedasyetanotherchunk,pertheproposedscheme.
Runthecodethroughaprofilertoidentifythepartsofimplementationthatcanbeimprovedtoachievegainsclosertotheexpected65%.
EnhancethecurrentimplementationtotransferfilesofarbitrarysizesbetweentheInitiatorandthetarget.
(ThiswillneedfurtherstudyofinteractionbetweenSCSIlayerandtheiSCSIInitiatorandtheiSCSItarget).
ImplementtheproposedschemeonaTOE–withbothiSCSIandIPsecintegrated.
Implementa/procfilesystem-basedefforttoenterthecustomizedkeysandInitialvectors.
(Currently,thesecondkeyishard-codedinthekernel).
AdditionalcriterialiketheuserIDcanalsobeincluded,sothatuserscandeploydifferentkeys.
Suchaneffortshouldalsoincludeawaytosecurelystorethecustomkeys(andcriteria)usedduringtheiscsi'write'ssothattheycanberetrievedasneededduring'read's.
Currently,alliSCSItrafficwithinaTCPsegmentisidentifiedbytheiscsitargetportnumber(3260).
Thepayloadisspecificallyidentifiedwiththeadditionalhelpofitssizebeing1K.
Attemptscanbemadeifthepacketscanbe'mark'edwiththehelpofutilitieslike'netfilter'sothatthepacketscanbeidentifiedwithlesseffortintheIPseclayer.
AnevenbetterwaymightbetointegratesuchcriteriaintoIPsec's'SecurityAssociation'/'SecurityPolicy'managementmechanism(the'setkey'utilityforhard-codedkeys,'raccoon'fordynamicIKE)insuchawaythathandling-specific-to-application-layer-protocol,becomesaninherentpartoftheIPsecmechanism.
Apointtonoteisthattheproposedschemeonlyexpectstohaveacustomkeyavailablefor'writes'andhavethesamekeyaccessiblefor'read's.
Thereisnorestrictionthatthiskeyneedstobestatic(hard-codedfromtheapplicationlayer)orbethesamealltime.
Therecanbeseveralwaysofstartingwithafixed'base'portionofacustomkeyanddynamicallyenhancingthekeybyappendingdetailslikeatimestamp,ortheuserID,orthefilename.
Aslongasthereisawayofsavingthefinalversionofthekey,suchaschemewillactuallyenhancesecuritybyconstantlychangingthecustomizedkey.
AnenhancementtoanIDElikeDDDtotakeoveranexistinggdbsessionwillhelptheUMLusercommunitydebugmodulesmoreeasily.
Infactsuchanenhancementwillhelpthelinuxdevelopmentcommunityingeneral.
Anexplanationisgivenbelow.
Itiscurrentlypossibletousethe'DDD'utilityinconjunctionwithgdbtodebugUMLs(thisthetheauthor'spreferredwaytodebugUMLs).
TheuseofatoollikeDDD(orEclipse)improvestheinter-activenessofadebugsessionsignificantlyandthereforeimprovesthedevelopmentprocess.
However,thecurrentlimitationisthat,suchatoolcannotbeusedwithUMLswhenthereisaneedtosupportanddebugmodules(linux-native,orthirdparty).
Hencetheauthorcoulduseonly'gdb'withUMLstodebugmodules.
TheauthorcametoknowthatDDDcurrentlyhasthelimitationthatitcannot'takeover'anexistinggdbsession–itcanonlyspawnagdbsession.
However,theauthorreceivedindicationsfromoneofthecurrentmaintainersofDDDthatcorrectingthisissuewillnotbeamajoreffort.
Chapter8ConclusionsAnefficientasymmetricIPSecprotocolenhancementwasproposedforreducingtheprocessingtimeandimprovingsecurityofsecureiSCSIbasedonline-backupsystems.
AdevelopmenttestbedwasconstructedusingUMLvirtualmachinestofacilitatethedevelopment/debuggingofIPSeckernel/networkingcode.
AbenchmarktestbedwithtworealPCswasinstalledwiththenewmodifiedIPSecmoduleandasetoftestrunsweremadetocollecttheperformancedataoftheproposedsystem.
TheanalysisofthedatafromtheUMLtestbeddoesnotshowtheexpectedperformancegainsbutrunningthesametrialsonactualmachinesshowsperformancegainsinthe25%-30%range.
Aninventiondisclosurewasfiled.
AdvantagesofthecurrentapproachTheproposedschemeisindependentoftheencryptionandauthenticationalgorithmsused.
(ThesetupwastestedwithAESaswellas3DES).
Undertheproposedscheme,thetargetmachinesdonotperformmanycomputations.
Assuch,theyneednotbeasfastastheinitiator.
LimitationsofthecurrentapproachThisapproachneedskernelmodificationsandprobablymakesasoftwareapproachevenlessattractive.
Incrementalupdatestofilesisdifficult.
Bibliographyhttp://www.
computerworld.
com/securitytopics/security/story/0,10801,110148,00.
htmlhttp://www.
backupusa.
com/Security-BUSA.
htmTomClark,"IPSANs:AGuidetoiSCSI,iFCP,andFCIPProtocolsforStorageAreaNetworks".
AddisonWesleyProfessionalhttp://www.
iscsistorage.
com/ipstorage.
htmRFC2401Marrone,Nancywhyyouneed(more)storagesecurity,http://www.
infostor.
com/Articles/Article_Display.
cfmSection=Articles&Subsection=Display&ARTICLE_ID=173287http://www.
unixwiz.
net/techtips/iguide-ipsec.
htmlKolesnikov,Oleg"BuildingLinuxVirtualPrivateNetworks(VPN)"NewRaiders2002Doraswamy,Naganand;Harkins,Dan"IPsec–thenewsecuritystandardforinternet"PrenticeHall",page44http://www.
kame.
net/http://www.
openswan.
org/http://strongswan.
org/http://www.
freeswan.
org/http://ipsec-tools.
sourceforge.
net/FriedhelmSchmidt,"SCSIBus&IDEInterface–Protocols,applicationsandprogramming",Chapter10FriedhelmSchmidt,"SCSIBus&IDEInterface–Protocols,applicationsandprogramming",Chapter12Hufferd,JohnL.
"iSCSI:TheUniversalStorageConnection",AddisonWesleyProfessional,2002http://www.
alacritech.
com/html/012802.
html,http://www.
netapp.
com/library/tr/3241.
pdf][http://www.
rtcmagazine.
com/sup_files/rtc0505_sbe04.
pdf]DavidDeming,SolutionTechnology"SCSI–TheprotocolforallStorageArchitectures",October2005,SNIAHufferd,JohnL.
"iSCSI:TheUniversalStorageConnection",AddisonWesleyProfessional,2002,chapter4www.
open-iscsi.
org(fortheiSCSIInitiatorcode)http://iscsitarget.
sourceforge.
net/user-mode-Linux.
sourceforge.
netAPPENDIXA:UserGuideofAIPsecSettingupIPsecThefollowingsectionsdescribetheprocesstocompilethetoolsneededtosetupIPsec,generatetheSPD/SADentriesandsetupIPsecforcommunicationbetweenhosts.
Buildthesetkeyutility'setkey'isapartoftheipsec-toolspackage.
Ipsec-tools-0.
3.
3.
ThisistheutilityusedtoreadconfigurationfilesandgenerateIPseckeysinmanualmode.
Theinstructionstobuilditaregivenbelow.
Fordetails,referto[23].
PackagedependenciesforsetkeyMakesurethefollowingpackagesareavailableonthesystem.
flex-2.
5.
4a-30.
i386.
rpmopenssl-0.
9.
7a-23.
i386.
rpmopenssl-devel-0.
9.
7a-23.
i386.
rpmkrb5-devel-1.
2.
7-14.
i386.
rpmNote:Allofthepackagesareavailableat'rpmfind.
net'Commandstobuildsetkeytarxvfipsec-tools-0.
3.
3.
tarcdipsec-tools-0.
3.
3.
/configure--prefix=/usr--sysconfdir=/etc--with-openssl=yes-with-kernel-headers=full_path_to_the_linux_kernel_source/includemakeall'makeinstallGeneratingakeyddif=/dev/randomcount=24bs=1|xxd-psTypicaloutputlookslike24+0recordsin24+0recordsout7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831prefixtheabovekeywitha0xanduseitintheconfigurationfileentriesbelow.
Notethattheabovestepneedstobeexecutedonceforeachnewkey.
SincetheSAsareuni-directional,thismeans,thecommandsneedstobeexecutedonceforeachdirection.
GeneratingSADandSPDentriesusingthesetkeyutilityontargetTheconfigurationfileusedonthetargetisshownbelow.
ItshowstheuseofAESforencryptionThekeysizeusedforencryptionforthisthesisis192bits(24bytes).
(AEScanalsooptionallyusekeysizesof128bitsor256bits).
AESusesanencryptionblocksizeof128bits(asopposedtoablocksizeof64bitsby3DES).
.
Theauthenticationalgorithmusedhereishmac-md5.
Itrequiresa128bitkey.
ThemanpageforsetkeylistsalltheencryptionandauthenticationalgorithmssupportedbyIPSec.
Italsoliststhekeysizes.
ThetargetinthiscasehasanIPaddressof192.
168.
0.
151.
TheInitiatorhastheIPaddress192.
168.
0.
152.
Notethatwhenakeyisintheform0x….
,eachcharacterafterthe0xistreatedasahalf-byte.
Butifthekeyiscontainedwithindoublequotes,eachcharacterisabyte.
Notethat"authentication!
!
"isjustanarbitrary16-bytestring.
Thiscansafelybereplacedbyanyother16-bytestring.
#!
/usr/sbin/setkey-v-f#FlushtheSADandSPDflush;spdflush;#creatingSADentriesadd192.
168.
0.
152192.
168.
0.
151esp0x201-Eaes-cbc0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831-Ahmac-md5"authentication!
add192.
168.
0.
151192.
168.
0.
152esp0x301-Eaes-cbc0x49fce5b82ff7acc4d6aded691a0f5f9a65e18861ad4b66bf-Ahmac-md5"authentication!
!
";#CreatingSPDentriesspdadd192.
168.
0.
152192.
168.
0.
151any-Pinipsecesp/transport//require;spdadd192.
168.
0.
151192.
168.
0.
152any-Poutipsecesp/transport//require;Thecommandsetkey-fabove_file_namegeneratesthecorrespondingSADandSPDentries.
DisplayingSADentriesonthetargetThecommandsetkey-DdisplaystheentriesintheSAD,Fortheaboveconfiguration,thegeneratedentrieslooklike192.
168.
0.
151192.
168.
0.
152espmode=transportspi=769(0x00000301)reqid=0(0x00000000)E:aes-cbc49fce5b82ff7acc4d6aded691a0f5f9a65e18861ad4b66bfA:hmac-md561757468656e7469636174696f6e2121seq=0x00000000replay=0flags=0x00000000state=maturecreated:Apr212:53:212006current:Apr212:53:242006diff:3(s)hard:0(s)soft:0(s)last:hard:0(s)soft:0(s)current:0(bytes)hard:0(bytes)soft:0(bytes)allocated:0hard:0soft:0sadb_seq=1pid=754refcnt=0192.
168.
0.
152192.
168.
0.
151espmode=transportspi=513(0x00000201)reqid=0(0x00000000)E:aes-cbc7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831A:hmac-md561757468656e7469636174696f6e2121seq=0x00000000replay=0flags=0x00000000state=maturecreated:Apr212:53:212006current:Apr212:53:242006diff:3(s)hard:0(s)soft:0(s)last:hard:0(s)soft:0(s)current:0(bytes)hard:0(bytes)soft:0(bytes)allocated:0hard:0soft:0sadb_seq=0pid=754refcnt=0DisplayingSPDentriesonthetargetThecommandsetkey-PDdisplaystheentriesintheSPD.
Fortheaboveconfigurationtheylooklike192.
168.
0.
152[any]192.
168.
0.
151[any]anyinipsecesp/transport//requirecreated:Apr212:53:222006lastused:lifetime:0(s)validtime:0(s)spid=8seq=1pid=755refcnt=1192.
168.
0.
151[any]192.
168.
0.
152[any]anyoutipsecesp/transport//requirecreated:Apr212:53:222006lastused:lifetime:0(s)validtime:0(s)spid=9seq=0pid=755refcnt=1GeneratingSADandSPDentriesusingthesetkeyutilityoninitiatorTheconfigurationfileon192.
168.
0.
152,forcommunicationwith192.
168.
0.
151lookslike#!
/usr/sbin/setkey-v-f#Configurationfor192.
168.
0.
152#FlushtheSADandSPDflush;spdflush;add192.
168.
0.
152192.
168.
0.
151esp0x201-Eaes-cbc0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831-Ahmac-md5"authentication!
!
";add192.
168.
0.
151192.
168.
0.
152esp0x301-Eaes-cbc0x49fce5b82ff7acc4d6aded691a0f5f9a65e18861ad4b66bf-Ahmac-md5"authentication!
!
";#Securitypoliciesspdadd192.
168.
0.
151192.
168.
0.
152any-Pinipsecesp/transport//require;spdadd192.
168.
0.
152192.
168.
0.
151any-Poutipsecesp/transport//require;setkey-fthe_above_file_namewillgeneratetheSADandSPDentries.
DisplayingtheSADentriesontheinitiator'setkey-D'showstheSADentriesas192.
168.
0.
151192.
168.
0.
152espmode=transportspi=769(0x00000301)reqid=0(0x00000000)E:aes-cbc49fce5b82ff7acc4d6aded691a0f5f9a65e18861ad4b66bfA:hmac-md561757468656e7469636174696f6e2121seq=0x00000000replay=0flags=0x00000000state=maturecreated:Apr213:10:512006current:Apr213:10:542006diff:3(s)hard:0(s)soft:0(s)last:hard:0(s)soft:0(s)current:0(bytes)hard:0(bytes)soft:0(bytes)allocated:0hard:0soft:0sadb_seq=1pid=721refcnt=0192.
168.
0.
152192.
168.
0.
151espmode=transportspi=513(0x00000201)reqid=0(0x00000000)E:aes-cbc7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831A:hmac-md561757468656e7469636174696f6e2121seq=0x00000000replay=0flags=0x00000000state=maturecreated:Apr213:10:512006current:Apr213:10:542006diff:3(s)hard:0(s)soft:0(s)last:hard:0(s)soft:0(s)current:0(bytes)hard:0(bytes)soft:0(bytes)allocated:0hard:0soft:0sadb_seq=0pid=721refcnt=0DisplayingSPDentriesontheinitiator'setkey-DP'showstheSPDentriesas192.
168.
0.
151[any]192.
168.
0.
152[any]anyinipsecesp/transport//requirecreated:Apr213:10:512006lastused:lifetime:0(s)validtime:0(s)spid=8seq=1pid=722refcnt=1192.
168.
0.
152[any]192.
168.
0.
151[any]anyoutipsecesp/transport//requirecreated:Apr213:10:512006lastused:lifetime:0(s)validtime:0(s)spid=9seq=0pid=722refcnt=1AppendixB:RunningtheiSCSItargetprogramInstallingtargetonahostmachinetarxvfiscsitarget-0.
4.
11.
tarcdiscsitarget-0.
4.
11makeallThisbuildsthetwobinariesietdandietadminiscsitarget-0.
4.
11/usrdirectory.
Alsobuildsthemoduleiscsi_trgt.
kointheiscsitarget-0.
4.
11/kerneldirectroymakeinstallThisinstallsthetwobinariesin/usr/sbindirectoryThemoduleisinstalledin/lib/modules/`uname-r`/kernel/iscsiInstallingtargetonaUMLThisprocedureinvolvesmountingthetargetumlrootfsonamountpointonthehostmount-olooptarget_UML's_rootfs/mnt/mount_pointtarxvfiscsitarget-0.
4.
11.
tarcdiscsitarget-0.
4.
11KERNELSRC:=/path_leading_to_iscsi_target_uml/linux-2.
6.
12.
1exportINSTALL_MOD_PATH:=/mnt/mount_pointmodifythe'install'targetintheMakefileasfollowsinstall:kernel/iscsi_trgt.
kousr/ietdusr/ietadm@install-vDusr/ietd$(INSTALL_MOD_PATH)/usr/sbin/ietd@install-vDusr/ietadm$(INSTALL_MOD_PATH)/usr/sbin/ietadmif[-f/etc/debian_version];then\install-vD-m755etc/initd/initd.
debian$(INSTALL_MOD_PATH)/etc/init.
d/iscsi-target;\elif[-f/etc/redhat-release];then\install-vD-m755etc/initd/initd.
redhat$(INSTALL_MOD_PATH)/etc/init.
d/iscsi-target;\elif[-f/etc/gentoo-release];then\install-vD-m755etc/initd/initd.
gentoo$(INSTALL_MOD_PATH)/etc/init.
d/iscsi-target;\elif[-f/etc/slackware-version];then\install-vD-m755etc/initd/initd$(INSTALL_MOD_PATH)/etc/rc.
d/iscsi-target;\else\install-vD-m755etc/initd/initd$(INSTALL_MOD_PATH)/etc/init.
d/iscsi-target;\fi@eval`sed-n's/#defineUTS_RELEASE/KERNELRELEASE=/p'$(KERNELSRC)/include/linux/version.
h`;\install-vDkernel/iscsi_trgt.
ko\$(INSTALL_MOD_PATH)/lib/modules/$$KERNELRELEASE/kernel/iscsi/iscsi_trgt.
ko-depmod-aqmakeallThisbuildsthetwobinariesietdandietadminiscsitarget-0.
4.
11/usrdirectory.
Alsobuildsthemoduleiscsi_trgt.
kointheiscsitarget-0.
4.
11/kerneldirectroymakeinstallThisinstallsthetwobinariesin$INSTALL_MOD_PATH/usr/sbindirectoryThemoduleisinstalledin$(INSTALL_MOD_PATH)/lib/modules/`uname-r`/kernel/iscsiumounttheUMLrootfilesystemandpreparetoruntheuml.
RunningthetargetCopythefileiscsitarget-0.
4.
11/etc/ietd.
confinto/etc/init.
dCd/etc/init.
dMakeappropriatechangestoietd.
conf(sampleincludedintheDVD).
Executethecommandiscsi-targetstartTheietd.
conffileusedintestigontheumltestbedisincludedbelow#Exampleiscsitargetconfiguration#Everythinguntilthefirsttargetdefinitionbelongs#totheglobalconfiguration.
#Rightnowthisisonlytheuserconfigurationused#duringdiscoverysessions:#IncomingUserjoesecret#Targetsdefinitionsstartwith"Target"andthetargetname.
#Thetargetnamemustbeagloballyuniquename,theiSCSI#standarddefinesthe"iSCSIQualifiedName"asfollows:##iqn.
yyyy-mm.
[:identifier]##"yyyy-mm"isthedateatwhichthedomainisvalidandtheidentifier#isfreelyselectable.
ForfurtherdetailspleasechecktheiSCSIspec.
Targetiqn.
2001-04.
com.
example:storage.
disk2.
sys1.
xyz#Users,whocanaccessthistarget#(nousersmeansanyonecanaccessthetarget)#IncomingUserjoesecret#LogicalUnitdefinition#Youmustdefineonelogicalunitatleast.
#Blockdevices,regularfiles,LVM,andRAIDcanbeoffered#totheinitiatorsasablockdevice.
#Lun0Path=/dev/sdc,Type=fileioLun0Path=/tmp/target_file,Type=fileio#Aliasnameforthistarget#AliasTest#variousiSCSIparameters#(notallareusedrightnow,seealsoiSCSIspecfordetails)#MaxConnections1InitialR2TYes#Immediatedatasettono,soastoreceivedataonly#insolicited'Data-out'sImmediateDataNoMaxRecvDataSegmentLength8192#MaxRecvDataSegmentLength1024#MaxBurstLength262144#FirstBurstLength65536#DefaultTime2Wait2DefaultTime2Wait180#DefaultTime2Retain20DefaultTime2Retain180#MaxOutstandingR2T8DataPDUInOrderYes#DataPDUInOrderYesDataSequenceInOrderYes#DataSequenceInOrderYes#ErrorRecoveryLevel0#HeaderDigestCRC32C,None#DataDigestCRC32C,None#Theiscsitargetcodewasmodifiedtosupporterrorrecovery2#O1wasaddedtotarget/kernel/Makefiletosupporttheconsequent#useofhtonlErrorRecoveryLevel2HeaderDigestNoneDataDigestNone#varioustargetparameters#Wthreads8AppendixC:RunningiSCSIInitiatorprogramInstallingtheinitiatorinthehostmachineThisstepneedsrootaccess.
untaropen-iscsi-0.
4-434.
tarcdopen-iscsi-0.
4-434/kernelcatbackward-compile-2.
6.
12.
patch|patch-p0tocontinue,orqtoquit---sometimes,thiscanhappenevenbeforethescreensessionisattachedto.
Whenthishappens,theumlsessionintheseparatextermseemstohang,Whenthathappens,attachtothescreensessionusingthe'screen-r'commandandlookfortheaboveprompt.
UsingGDBtodebugmodulesAtthispoint,foreachUMLvirtualmachine,wehaveonextermrunningtheumlsessionandanotherxtermcontainingthegdbsessionassociatedwiththeumlsession.
Thefollowingstepssetupthemodulestobedebugged.
Giventhenameofthemoduletobedebuggedastheloneparameter,thefileget_add-symbol-file_cmdfilewithinthefilesystemofbothuml1anduml2,generatesthetexttoaddasacommandatthegdbprompt.
Atypicalexamplelooksasfollowsget_add-symbol-file_cmdiscsi_trgtadd-symbol-file/home/mandukur/iscsitarget-0.
4.
11/kernel/iscsi_trgt.
ko0x188d1000\-s.
bss0x188e0140\-s.
data0x188dfce0\-s.
gnu.
linkonce.
this_module0x188e0000\-s.
rodata0x188da2d8\-s.
rodata.
str1.
10x188db124\-s.
rodata.
str1.
320x188dbd00\-s.
strtab0x188de7b8\-s.
symtab0x188dc988\-s__param0x188dc974Thetextshowninboldaboveisthecommandtobeenteredatthegdbprompt.
AppendixE:Compilingsg_ddandsettingitupAsmentionedabove,sg_ddistheutilityusedtowriteblocksofdatatotothetarget,andreadthemback.
Tobuildsgutils,installthefollowingintheinitiatoruml(uml2)libtool-libs.
1.
5.
8m4-1.
4.
1-14.
i386.
rpmautoconf-2.
57-3.
noarch.
rpmautomake-1.
7.
8-1.
noarch.
rpmlibtool-1.
5-8.
i386.
rpmsg3_utils-libs-1.
19-1.
1.
i386.
rpm(Thefollowingaredependenciesforlibpthread)basesystem-8.
0-2.
noarch.
rpmglibc-common-2.
3.
2-101.
i386.
rpmglibc-2.
3.
2-101.
i386.
rpmAndthen,buildinsidethesgutilssourcedirectory,usingMakefile.
asrootmake–fMakefile.
asrootmake–fMakefile.
asrootinstallAppendixF:AtypicalrunthroughthetestbedGivenbelowarethelistofstepsforatypical'write'and'read'sessionbetweentheinitiatorandthetarget.
Step1:Createthe'disk'onthetarget(Thiscommandneedstobeexecutedonthetarget)Onthetarget,makesurethefilethatissupposedtobepresentedasadisktotheinitiator,doesindeedexist.
Thenameofthefileisobtainedfromthe'Lun'entryof/etc/ietd.
confontheiscsitarget.
Inthetestbed,theentryisLun0Path=/tmp/target_file,Type=fileioThePathcanpointtoarealdisk,asin/dev/sdcIfthefiledoesnotexist,createitusingthe'dd'command.
Anexampleisddif=/dev/zeroof=/tmp/target_filebs=1024count=24576conv=syncStep2:StarttheiSCSItargetsoftware(Thiscommandneedstobeexecutedonthetarget)/etc/init.
d/iscsi-targetstart(Theiscsi-targetscriptisinstalledasapartofinstallingtheiscsi-target)Step3:StarttheiSCSIInitiatordaemon(ThiscommandneedstobeexecutedontheInitiator)#!
/bin/bash#cd/lib/modules/2.
6.
12.
1-bs7y/kernel/drivers/scsimodprobescsi_modmodprobesd_modmodprobesgmodprobescsi_transport_iscsiiscsid-c/etc/iscsid.
conf-f-d10&modprobeiscsi_tcpStep4:Logintothetarget(ThiscommandneedstobeexecutedontheInitiator)/root/open-iscsi/usr/iscsiadm-mdiscovery--typesendtargets--portalThescsinodeidwillbeprintedhere.
Atypicalexamplelookslike[4dbdf2]192.
168.
0.
151:3260,1iqn.
2001-04.
com.
example:storage.
disk2.
sys1.
xyz/root/open-iscsi//usr/iscsiadm-mnode--record4dbdf2–loginThisoutputsalotoftextthatendswith.
.
.
.
iscsid:scanninghost0using/sys/class/scsi_host/host0/scanVendor:IETModel:VIRTUAL-DISKRev:0Type:Direct-AccessANSISCSIrevision:04SCSIdevicesda:49152512-bytehdwrsectors(25MB)SCSIdevicesda:drivecache:writebackSCSIdevicesda:49152512-bytehdwrsectors(25MB)SCSIdevicesda:drivecache:writebackAttachedscsidisksdaatscsi0,channel0,id0,lun0Attachedscsigenericsg0atscsi0,channel0,id0,lun0,type0iscsid:connection0:0isoperationalnowiscsid:thread4026a444removedfromactor_listAtthecurrentstage,theimplementationoftheschemeislimitedtohandlingfilesizesthatareexactmultiplesof1024.
ThatisbecausetheSCSIlayerseemstosendoutscatter-gatherbufferpointersreferringtofullblocksize,totheiSCSIlayer.
TheexactnatureofcommunicationbetweentheSCSIlayerandiSCSIlayerisnotyetcompletelyunderstoodbytheauthorofthisthesis.
Thecommandtowriteafiletoatargetlookslikesg_ddif=test_file_100MB.
txtof=/dev/scsi/host0/bus0/target0/lun0/discbs=1024bpt=1odir=1count=102400skip=0seek=0Step5:Verifyingthatdataisscrambledonthetarget(Thiscommandneedstobeexecutedonthetarget)Inthisstepwereadthedatafromthetarget.
Thecommandddif=/tmp/target_fileof=data_read_filebs=1024count=same_value_as_from_the_above_sgdd_commandretrievesthedatawrittentothetargetdiskintoalocalfilecalled'data_read_file'.
Thecontentsofthefile(lookedatwith'vi'or'cat')lookscrambled.
Step6:ReaddatafromtheInitiator(ThiscommandneedstobeexecutedontheInitiator)Thecommandrunbelowisonlyslightlydifferentfromtheearliercommandrunto'write'thedata.
Notethatthe'of'intheearlierstepnowbecomesthe'if'.
Thereisanew'of'tostoretheretrievedcontents.
sg_ddif=/dev/scsi/host0/bus0/target0/lun0/discof=retrieved_databs=1024bpt=1odir=1count=102400skip=0seek=0Step7:Verifyingthecorrectnessofthedata(ThiscommandneedstobeexecutedontheInitiator)Runthecommand'cksum'onboththeinputandoutputfiles.
i.
e.
'cksumtest_file_100MB.
txt'and'cksumretrieved_data'shoulddisplayidenticalnumbers.
Note:EverytimeanewloginhappensfromtheInitiatortothetarget,thehostidofthetargetaccordingtotheinitiator,changes,So,intheabovecommandsto'write'and'read',itcouldbehost0orhost1orhost2.