university of colorado colorado...

SECURE ASYMMETRIC ISCSI SYSTEM FOR ONLINE STORAGE

by

SARAH A. SUMMERS

B.Eng., Materials Engineering, Swansea University, 1993Eng.D., Materials Engineering, Swansea University, 1999

A project submitted to the Graduate Faculty of the

University of Colorado at Colorado Springs

in partial fulfillment of the

requirements for the degree of

Master of Science

Department of Computer Science

2008

This project for the Master of Science in Computer Science degree by

Sarah A. Summers

has been approved for the

Department of Computer Science by

C. Edward Chow, Chair

Terrance Boult

Joe Zhou

Rick Bauer

Date

Summers, Sarah A. (M.S., Computer Science)

Secure Asymmetric iSCSI System for Online Storage

Project directed by Professor C. Edward Chow

Security and availability of data stored on computer systems has become increasingly important

over recent years. The recently developed Efficient Asymmetric Secure iSCSI provides

availability of data through the use of the iSCSI application level protocol to enable remote

network attached storage; security of data is provided by an enhanced IPsec implementation

which secures data not only in transit but also when stored on the remote storage medium.

The Secure Asymmetric iSCSI System for Online Storage proposed in this project, enhances the

Efficient Asymmetric Secure iSCSI scheme. The enhancements include the simulation of the

transfer of files of arbitrary size and the transfer of files to two targets. This was achieved through

modifications to the sg_dd utility, form the sg3_utils package, which is used to write and read

files to and from target storage media.

A VMware Server virtual machine test bed, for development and testing, was created by cloning

the Efficient Asymmetric Secure iSCSI physical test bed using UltimateP2V. Testing of the

proposed scheme on this test bed revealed that the changes to the sg_dd utility do not adversely

affect overall system performance.

A graphical user interface was developed to simplify the usage of the scheme when setting up

security keys, associations and databases required for IPsec, and writing and reading files.

Additional research was carried out to determine how the Efficient Asymmetric Secure iSCSI

scheme could be modified to use a mounted target storage device and the cp utility for writing

and reading files.

Dedication

To my parents and Sandy, without whose support and, encouragement it would not have been

possible to undertake the Master of Computer Science program.

Acknowledgements

I would like to express my sincere appreciation to Dr. C. Edward Chow for his continual support

and encouragement during this project and also during the many classes that I have taken with

him. His enthusiasm for Computer Science is contagious.

Appreciation and thanks also to my committee members Dr. Terrance Boult, Dr. Joe Zhou and

Rick Bauer.

I would also like to thank the School of Engineering and Applied Science and the Department of

Computer Science, for the use of the computing facilities without which it would not have been

possible to complete this project.

Thanks go to Dr. Katherine Flesia and her daughter Cillian for sharing their home with me during

my last few months in Colorado Springs and making that time an enjoyable experience. Thanks

also to Trish Marquez and Suphannee Sae Chai for their encouragement and assistance during the

early stages of this project.

CONTENTS

Chapter

Dedication.........................................................................................................................................v

Acknowledgements..........................................................................................................................vi

1. Introduction...............................................................................................................1

1.1 Data Storage Explosion.............................................................................................1

1.2 Legal Implications for Secure Storage......................................................................1

1.2.1 HIPAA......................................................................................................................2

1.2.2 SOX...........................................................................................................................2

1.3 Motivation for Secure Online Storage......................................................................2

1.4 Internet Protocol (IP) Storage Options.....................................................................3

1.5 iSCSI.........................................................................................................................4

2. SCSI and iSCSI.........................................................................................................5

2.1 SCSI (Small Computer Systems Interface)...............................................................5

2.2 SCSI Architecture Model..........................................................................................5

2.3 SCSI Protocol............................................................................................................7

2.3.1 Command Descriptor Blocks....................................................................................7

2.3.1.1 Command Descriptor Block Fields...................................................................8

2.3.2 Logical Unit Numbers.............................................................................................10

2.3.3 Phases of an I/O Operation.....................................................................................10

2.4 SCSI Architecture in the Linux Kernel...................................................................12

2.4.1 SCSI Subsystem......................................................................................................13

2.4.1.1 Upper Layer....................................................................................................14

2.4.1.2 Mid Layer.......................................................................................................15

2.4.1.3 Lower Layer....................................................................................................15

2.5 Limitations of SCSI................................................................................................16

2.6 iSCSI (internet SCSI)..............................................................................................16

2.6.1 iSCSI Protocol........................................................................................................16

2.6.1.1 Naming............................................................................................................17

2.6.1.2 Establishing Connections between Initiator and Target(s).............................18

2.6.1.2.1 iSCSI Protocol Data Units...........................................................................18

2.6.1.2.2 Sessions.......................................................................................................19

2.6.1.2.2.1 Discovery Session..................................................................................20

2.6.1.2.2.2 Normal Session......................................................................................24

2.6.2 Data Transfer between Initiator and Target(s)........................................................25

2.6.2.1 Progression of a SCSI Command through the Initiator..................................26

2.6.2.2 Progression of a SCSI Command through the Target.....................................28

2.7 Implementation of iSCSI........................................................................................29

2.7.1.1 iSCSI Host Adapter Implementations.............................................................29

2.7.1.1.1 Software iSCSI............................................................................................29

2.7.1.1.2 Software iSCSI with TCP Offload..............................................................30

2.7.1.1.3 Hardware iSCSI with TCP Offload.............................................................31

2.7.1.2 Software iSCSI Implementations....................................................................31

2.7.1.2.1 Open-iSCSI.................................................................................................31

2.7.1.2.1.1 Open-iscsi-0.4-434.................................................................................32

2.7.1.2.2 iSCSI Enterprise Target (IET).....................................................................32

2.7.1.2.2.1 iscsitarget-0.4.11....................................................................................32

2.7.2 sg3_utils and sg_dd.................................................................................................33

2.7.3 iSCSI and Data Security.........................................................................................34

3. IPsec........................................................................................................................35

3.1 IPsec Security Associations and Security Policies.................................................36

3.1.1 Security Policies and Security Policy Databases....................................................36

3.1.2 Security Associations and Security Association Databases....................................37

3.2 Transport and Tunnel Modes..................................................................................38

3.3 Authentication Header............................................................................................39

3.4 Encapsulating Security Payload..............................................................................41

3.4.1 ESP Header Calculation and Placement.................................................................41

3.4.2 ESP Trailer Calculation and Placement..................................................................42

3.4.3 ESP Authentication Field Calculation and Placement............................................43

3.5 Internet Key Exchange............................................................................................43

4. Efficient Asymmetric Secure iSCSI.......................................................................45

4.1 Review of Efficient Asymmetric Secure iSCSI (EASI).........................................45

4.1.1 EASI Enhancements to IPsec..................................................................................45

4.1.1.1 Sending side code on the initiator...................................................................47

4.1.1.2 Receiving side code on the target...................................................................50

4.1.1.3 Sending side code on the target......................................................................51

4.1.1.4 Receiving side code on the initiator................................................................52

4.2 Motivation for Enhancing EASI.............................................................................53

4.2.1 Goals for the Secure Asymmetric iSCSI System for Online Storage.....................53

5. Testing of EASI Implementation............................................................................55

5.1 Test Bed..................................................................................................................55

5.2 Limitations of using a File as a Target Storage Device..........................................56

5.3 Copying User Files using the sg_dd and cp utilities...............................................57

5.3.1 Writing/Reading Files to a Target Storage File using sg_dd..................................57

5.3.2 Writing/Reading Files to a Target Storage File using cp........................................60

5.3.3 Writing/Reading Files to a Mounted Target Storage File System..........................62

5.3.3.1 Writing/Reading Files to Mounted Target Storage without Encryption.........62

5.3.3.1.1 Writing/Reading with the sg_dd Utility......................................................63

5.3.3.1.2 Writing/Reading with the cp Utility............................................................63

5.3.3.2 Writing/Reading Files to/from Mounted Target Storage using EASI............64

5.4 Summary of the test results and their impact on enhancements.............................64

6. Proposed Enhancements.........................................................................................65

6.1 Writing/Reading Files of Arbitrary Size.................................................................65

6.2 Transferring a File to Two Targets.........................................................................69

6.2.1 Encryption of Payload.............................................................................................69

6.2.2 Native IPsec Keys...................................................................................................70

6.2.3 Steps to Transfer a File to Two Targets..................................................................70

6.3 User Interface..........................................................................................................70

6.3.1 Functionality of User Interface...............................................................................71

6.3.1.1 Initiator User Interface Tasks.........................................................................72

6.3.1.2 Target User Interface Tasks............................................................................72

7. Performance Results and Analysis..........................................................................75

7.1 Testing Regime.......................................................................................................75

7.2 Anticipated Results.................................................................................................76

7.2.1 Base Line Tests using the Original sg_dd Code.....................................................76

7.2.2 Tests using the sg_dd code modified for arbitrary sized files................................77

7.2.3 Testing using sg_dd code modified for two target storage devices........................78

7.3 Actual Results.........................................................................................................78

7.3.1 Analysis of the Results from the Base Line Tests..................................................85

7.3.2 Analysis of the Results from the Tests using the sg_dd Arbitrary Code................87

7.3.2.1 sg_dd Original vs sg_dd arbitrary...................................................................89

7.3.3 Analysis of the Results from Tests using the sg_dd Two Targets Code................92

7.3.3.1 sg_dd Original vs sg_dd Two Targets............................................................94

7.4 Summary of Results................................................................................................96

8. Additional Research................................................................................................97

8.1 New Virtual Machine Test Bed..............................................................................97

8.2 Network Protocol Analyzer Logs...........................................................................98

8.2.1 Discovery Process...................................................................................................98

8.2.2 Login Process..........................................................................................................99

8.2.3 Mounting the Target Storage Device File System on the Initiator.......................101

8.3 Writing to Mounted Target Storage using cp.......................................................103

8.4 Reading from Mounted Target Storage using cp..................................................106

8.5 Summary...............................................................................................................108

9. Disaster Recovery.................................................................................................109

9.1 Disaster Recovery Plan.........................................................................................109

9.1.1 Restart Solutions...................................................................................................110

9.2 Secure Asymmetric iSCSI for Disaster Recovery................................................111

10. Lessons Learnt and Observations.........................................................................113

11. Future Directions..................................................................................................115

12. Conclusions...........................................................................................................117

Bibliography.................................................................................................................................119

Appendices....................................................................................................................................122

A. Wireshark..............................................................................................................122

B. UltimateP2V and VMware Server Virtual Machine Creation..............................124

B.1 Creation of a virtual machine on the VMware Server..........................................125

B.2 Booting the Virtual Machine with the UlitimateP2V CD.....................................135

B.3 Cloning the Hard Disk from the Physical Machine..............................................137

C. Creating a Mounted Target Storage Device..........................................................140

C.1 Creation of an Additional Hard Disk....................................................................140

C.2 Configuring the Added Hard Disk as an iSCSI Target Device............................144

D. Typical run through for Transferring Arbitrary Sized Files.................................148

D.1 Starting the Target and Initiator Software............................................................148

D.2 Write User Data to the Target...............................................................................149

D.3 Reading User Data from the Target......................................................................149

E. Typical run through for Transferring to Two Targets..........................................150

E.1 Starting the Target and Initiator Software............................................................150

E.2 Write User Data to the Target(s)...........................................................................151

E.3 Reading User Data from the Target......................................................................151

F. Python and Tkinter................................................................................................152

G. User Interface Operating Instructions...................................................................153

G.1 Starting the Target Graphical User Interface........................................................153

G.2 Starting the Target Software.................................................................................154

G.3 Starting the Initiator Graphical User Interface......................................................156

G.4 Starting Initiator Software.....................................................................................157

G.5 Discovering Available Targets.............................................................................158

G.6 Logging in to Target Storage................................................................................159

G.7 Writing to Target Storage.....................................................................................160

G.8 Reading from Target Storage................................................................................161

G.9 Disconnecting from Target Storage......................................................................162

G.10 Stopping Initiator Software...................................................................................164

G.11 Stopping the Target Software...............................................................................164

G.12 Additional Functionality of the Initiator and Target GUI’s..................................165

G.12.1 Additional Target Functionality............................................................................165

G.12.2 Additional Initiator Functionality.........................................................................168

H. Open-iscsi-2.0-869.2.............................................................................................172

H.1 Installing the initiator software.............................................................................172

H.2 Running the iscsi initiator.....................................................................................173

H.2.1 Starting the intiator...............................................................................................173

H.2.2 Discovering Available Targets.............................................................................173

H.2.3 Login to Target.....................................................................................................173

H.2.4 To logout of the Target.........................................................................................174

H.2.5 Stopping the Initiator............................................................................................174

I. iscsitarget-0.4.16...................................................................................................175

I.1 Installing the target software.................................................................................175

I.2 Running the target.................................................................................................176

I.2.1 Starting the target..................................................................................................176

I.2.2 Stopping the Target...............................................................................................176

TABLES

Table 2-1: sg_dd Options.........................................................................................................34

Table 3-1: Descriptions of AH Header Fields..........................................................................40

Table 7-1: Testing Regime.......................................................................................................76

Table 7-2: Sizes of various files used during testing................................................................78

Table 7-3: Combined Write/Read Times for 1K and 750 byte files........................................79

Table 7-4: Combined Write/Read Times for 10K and 9966 byte files....................................80

Table 7-5: Combined Write/Read Times for 100K and 102126 byte files..............................81

Table 7-6: Combined Write/Read Times for 1MB and 1048302 byte files.............................82

Table 7-7: Combined Write/Read Times for 10MB and 10485486 byte files.........................83

Table 7-8: Combined Write/Read Times for 100MB and 104857326 byte files.....................84

Table 8-1: Packets for copying file to mounted storage disk.................................................105

FIGURES

Figure 2-1: SCSI Standards Architecture Model [2-9]...................................................................6

Figure 2-2: Example of a Basic SCSI Architecture.....................................................................7

Figure 2-3: Typical CDB for 10 byte Commands [2-11].................................................................8

Figure 2-4: Minimum SCSI I/O Operation................................................................................11

Figure 2-5: SCSI Data I/O Operation........................................................................................12

Figure 2-6: SCSI Subsystem in the Linux Kernel [2-13]...............................................................13

Figure 2-7: Three Layered Architecture of the SCSI Subsystem [2-14].......................................14

Figure 2-8: General Structure of an iSCSI PDU........................................................................19

Figure 2-9: Basic Header Segment Layout................................................................................19

Figure 2-10: Wireshark log for the Login Command for the Discovery Session................21

Figure 2-11: Login Response for Discovery Session..........................................................22

Figure 2-12: Request to SendTargets in Full Feature Phase of Discovery Session.............23

Figure 2-13: Response to SendTargets request...................................................................24

Figure 2-14: Login Command for Normal Session.............................................................25

Figure 2-15: iSCSI Protocol Layer Model [4 -2]....................................................................26

Figure 2-16: Data Encapsulation into Network Packets......................................................28

Figure 2-17: Options for iSCSI Adapter Implementation [2-22].............................................30

Figure 3-1: Example of Security Policy Database Entries........................................................37

Figure 3-2: Example of Security Association Database Entries................................................38

Figure 3-3: Packets for IPSec Tunnel and Transport Mode [3-5].................................................39

Figure 3-4: Format of AH Header.............................................................................................40

Figure 3-5: Encapsulating Security Payload Header Format.....................................................42

Figure 4-1: Efficient Asymmetric Secure iSCSI Scheme [1-11]...................................................46

Figure 4-2: Packet modification under proposed scheme [1-11]...................................................49

Figure 5-1: Schematic of Test Bed............................................................................................56

Figure 5-2: Error Message displayed when writing a User File from Initiator to Target without

specifying a ‘count’ value.......................................................................................59

Figure 5-3: Error Message displayed when writing a User File from Target to Initiator without

specifying a ‘count’ value.......................................................................................59

Figure 5-4: Output of file read back to the Initiator using the sg_dd utility..............................62

Figure 6-1: Result of using stat utility on target storage file.....................................................68

Figure 7-1: sg_dd Original No Encryption................................................................................86

Figure 7-2: sg_dd Original IPsec...............................................................................................86

Figure 7-3: sg_dd Original EASI...............................................................................................87

Figure 7-4: sg_dd Arbitrary No Encryption..............................................................................88

Figure 7-5: sg_dd Arbitrary IPsec.............................................................................................88

Figure 7-6: sg_dd Arbitrary EASI.............................................................................................89

Figure 7-7: Comparison of time values for the original and arbitrary sg_dd code without

encryption...............................................................................................................90

Figure 7-8: Comparison of time values for the original and arbitrary sg_dd code with IPsec. .91

Figure 7-9: Comparison of time values for the original and arbitrary sg_dd code with EASI..91

Figure 7-10: sg_dd Two Targets No Encryption.................................................................92

Figure 7-11: sg_dd Two Targets IPsec................................................................................93

Figure 7-12: sg_dd Two Targets EASI................................................................................93

Figure 7-13: Comparison of times values for the original and two target sg_dd codes with

no encryption..................................................................................................95

Figure 7-14: Comparison of times values for the original and two target sg_dd code with

IPsec................................................................................................................95

Figure 7-15: Comparison of times values for the original and two target sg_dd code with

EASI................................................................................................................96

Figure 8-1: Wireshark Log obtained during the Discovery Session..........................................99

Figure 8-2: Wireshark Log obtained during the Login Session...............................................100

Figure 8-3: Wireshark Log obtained during Mounting the Target Storage Device File System

on the Initiator.......................................................................................................103

Figure 8-4: Writing to mounted target storage using cp..........................................................104

Figure 8-5: Data field in SCSI payload contained within a Data-out PDU.............................105

Figure 8-6: Contents of TCP packet following the first iSCSI/SCSI ‘Read’..........................107

Figure 8-7: Reading from mounted target storage using cp....................................................108

Figure B-1: VMWare Server Console......................................................................................125

Figure B-2: Typical or Custom Virtual Machine Configuration..............................................126

Figure B-3: Selecting Guest Operating System........................................................................126

Figure B-4: Naming of the Virtual Machine............................................................................127

Figure B-5: Setting the Access Rights......................................................................................128

Figure B-6: Startup/Shutdown Options....................................................................................128

Figure B-7: Processor Configuration........................................................................................129

Figure B-8: Virtual Machine Memory.....................................................................................129

Figure B-9: Network Connection.............................................................................................130

Figure B-10: I/O Adapter Types........................................................................................131

Figure B-12: Virtual Disk...................................................................................................131

Figure B-13: Disk Type Selection......................................................................................132

Figure B-14: Disk Capacity................................................................................................132

Figure B-15: Disk File........................................................................................................133

Figure B-16: Virtual Machine Tab.....................................................................................134

Figure B-17: Editing the machine settings to boot from the CD........................................134

Figure B-18: Window for Network support.......................................................................135

Figure B-19: Network Configuration Profile.....................................................................136

Figure B-20: IP Address Configuration.............................................................................137

Figure B-21: Selecting Peer to Peer transfer via TCP/IP in Slave Mode...........................138

Figure B-22: GRUB Menu of Newly Cloned Virtual Machine.........................................139

Figure C-1: Graphical user interface for editing the virtual machine settings.........................141

Figure C-2: Hardware Wizard display.....................................................................................141

Figure C-3: Hardware addition selector...................................................................................142

Figure C-4: Select a Disk.........................................................................................................142

Figure C-5: Select a Disk Type................................................................................................143

Figure C-6: Specify disk capacity and allocation.....................................................................143

Figure C-7: Disk file name.......................................................................................................144

Figure G-1: Initial Window of Target Processing GUI............................................................154

Figure G-2: Start/Stop Target Tab of Target Processing GUI..................................................155

Figure G-3: Message indicating that the Target Software has been Started.............................155

Figure G-4: Initial Window of Initiator Processing GUI..........................................................156

Figure G-5: Start Initiator Tab of Initiator Processing GUI.....................................................157

Figure G-6: Message indicating that the Initiator Software has been Started..........................158

Figure G-7: Target Storage Discovery.....................................................................................159

Figure G-8: Login to Target Storage........................................................................................160

Figure G-9: Writing a File to Target Storage...........................................................................161

Figure G-10: Reading a File from Target Storage..............................................................163

Figure G-11: Logging Out from Target Storage................................................................163

Figure G-12: Stopping the Initiator Software.....................................................................164

Figure G-13: Stopping the Target Software.......................................................................165

Figure G-14: Checking the Status of the Target Software.................................................166

Figure G-15: Creation of a New Target File......................................................................167

Figure G-16: Configuration of the ietd.conf File...............................................................168

Figure G-17: Checking the Status of the Initiator Software...............................................169

Figure G-18: Generating Keys for use with IPsec..............................................................170

Figure G-19: Generating SAD and SPD Entries................................................................171

1

Chapter 1

1. Introduction

The following are the main objectives of this project.

Enhance the existing Efficient Asymmetric Secure iSCSI scheme to enable the transfer of

files of arbitrary size.

Improve the existing scheme to enable the transfer of files to two targets.

Develop and implement a user interface to simplify usage of the scheme.

1.1 Data Storage Explosion

The last few years has seen an explosion in data growth and with it the requirement for increased

data storage capabilities. The driving force for this rapid data growth has been the increased usage

of database applications and email for online business-to-business transactions, business-to-

consumer transactions, and the Radio Frequency Identification Systems (RFID), such as those

used by stores for tracking goods inventory [1-1].

1.2 Legal Implications for Secure Storage

In addition to the need for increased storage requirements, businesses are now faced with the need

to comply with government regulations related to data storage. The Health Insurance Portability

and Accountability Act (HIPAA) [1-2] of 1996, and the Sarbanes-Oxley Act (SOX) [1-3] of 2002

both have implications with respect to security, privacy, and accountability of stored data.

2

1.2.1 HIPAA

Title II of HIPAA, the Administrative Simplification (AS) provisions have implications for

Health Care providers in terms of the security and privacy of health data. In addition, the act has a

number of implications in terms of data storage. For example, data must be stored in a manner

that it can be accessed and disclosed within a period of thirty days. Consequently, data must be

backed up and there must be a Disaster Recovery Plan in place within the organization that

includes the recovery of data in the event of a disaster. If in a worst case scenario the disaster

resulted in total destruction, inclusion of a remote storage solution in the plan would enable the

data to be recovered. In addition, there should be physical controls in place to protect against

inappropriate access of the data. Also, the Information Systems storing patient information must

be protected from intrusion and unauthorized modification.

1.2.2 SOX

SOX was produced in response to a number of corporate and accounting scandals. The act is wide

ranging, however, the area of interest for Information Technology relates to the security,

accuracy, and reliability of the systems that manage and report the financial data. SOX, like

HIPAA, requires that data be readily available for disclosure and should be protected from

inappropriate access, intrusion, and unauthorized modifications.

1.3 Motivation for Secure Online Storage

The motivation for secure online storage is not limited to the legal implications associated with

HIPAA and SOX. Computing services are vital to an ever increasing number of businesses and

organizations. In many cases, loss of computer services will result in the business or organization

not being able to carry out their day to day activities. Hiles [1-4] has stated that with loss of

3

computer services, “some financial applications can ‘go critical’ within hours if not minutes” and

that loss of real time control systems can result in “immediate injury or loss of life”.

From the preceding discussion, it should be apparent that secure storage of data is essential, not

only from the legal standpoint, but also in terms of ethical and good business practice. Provisions

must be in place to recover data in the event of a data destruction catastrophe at the primary

storage location. One possible solution to address these needs is online data storage.

1.4 Internet Protocol (IP) Storage Options

Recent developments in data storage have focused on IP storage methods. These implementations

use Transmission Control Protocol/Internet Protocol (TCP/IP) as storage interconnect to transfer

block level data. The use of TCP/IP for transporting user data for storage has led to the

development of a number of protocols. These include iSCSI (internet Small Computer System

Interface) and the Fibre Channel [1-5, 1-6, 1-7, 1-8, 1-9] protocols FCIP (Fibre Channel over IP), iFCP

(internet Fibre Channel Protocol), all of which make use of the established IP.

IP has a number of advantages over other mechanisms. These include [1-10]:

reduced costs in terms of training and staffing through the use of familiar network

technology and management

increased reliability through the use of a proven transport infrastructure

provisions for remote data replication and disaster recovery as a result of long distance

scalability

lower total cost of ownership resulting from use of the Ethernet for storage

4

1.5 iSCSI

Of the three online storage options mentioned above, iSCSI has advantages which make it the

most suitable option for many enterprises. It uses TCP/IP to transport data and does not require

special hardware for its operation. Rather, SCSI commands are encapsulated in TCP/IP packets.

In order to carry out the work proposed for this project, it is necessary to gain an in-depth

understanding of the protocols and technologies which may be involved. These include SCSI,

iSCSI, Open-iscsi, iscsitarget and Internet Protocol Security (IPsec). They will be discussed in the

following chapters. In addition, it is also necessary to gain a detailed understanding of the

existing Efficient Asymmetric Secure iSCSI [1-11] (EASI) scheme. Consequently, a review of this

scheme is presented along with testing to identify factors which may affect the proposed

enhancements.

5

Chapter 2

2. SCSI and iSCSI

2.1 SCSI (Small Computer Systems Interface)

The SCSI protocol, which is an application layer storage protocol, was originally developed as a

technology for providing a standard device interface bus enabling host computer systems to

perform block data input/output (I/O) operations to a wide variety of peripheral devices [1-8, 2-2, 2-3, 2-

4, 2-5, 2-6, 2-7] .

The primary motivation for SCSI was to provide a way to logically address blocks and eliminate

the need to physically address data blocks in terms of cylinder, head, and sector. The advantage

of logical addressing is that it frees the host from having to know the exact physical organization

of a drive [2-1].

Since its initial conception, the SCSI protocol has undergone a number of developments from

SCSI-1 [2-7] through SCSI-2 [2-8] with the current protocol being SCSI-3. During this development

process, the protocol has expanded to be a collection of related standards organized into three

general categories. The categories are: commands, protocols, and interconnects. They are defined

by the SCSI-3 Architecture Model (SAM), Figure 2-1.

2.2 SCSI Architecture Model

The SCSI architecture is based upon a client/server model, with the host computer being the

client and the server being a resource such as a disk device, printer, scanner etc. In terms of

storage, the client is also known as the initiator since it is from the client that commands to write

CommandSets

TransportProtocols

PhysicalInterfaces

6

or read to/from the storage device are issued. The server or storage device is also known as the

target, it responds to the commands issued by the client. A basic SCSI architecture is shown in

Figure 2-2.

Figure 2-1: SCSI Standards Architecture Model [2-9]

7

Figure 2-2: Example of a Basic SCSI Architecture

2.3 SCSI Protocol

In order for successful transfer of data between the initiator and target, certain information about

the SCSI device must be known. Examples of such information are how the device may be

addressed, commanded to perform operations, and how to read or write data to/from the initiator.

This information is defined in the SCSI protocol.

2.3.1 Command Descriptor Blocks

The SCSI protocol uses a format known as a Protocol Data Unit (PDU) to allow sending and

receiving nodes to agree upon what is being communicated. The PDU for SCSI is known as a

Command Descriptor Block (CDB). If the initiator wishes to write to or read from a target, it

creates a CDB. The CDB contains information as to the type of command to be performed (write

or read) and information about where the data to be written or read can be located.

8

Not all SCSI commands are the same length and consequently the CDB’s do not have a

prescribed consistent length [2-2]. The length of the CDB can be between 6 and 16 bytes [2-1]. An

example of a 10 byte CDB is shown in Figure 2-3.

2.3.1.1 Command Descriptor Block Fields

As can be seen from Figure 2-3, the CDB is comprised of a number of fields, some are described

in detail below.

Operation Code

The operation code (opcode) identifies the operation being requested by the CDB and also how

long the CDB will be. For the purposes of this project, the main opcodes of interest are those for

read and write operations, since it is these that are used for transfer of user data. The read and

write opcodes for 10 byte CDBs are 28h and 2AH respectively.

BitByte

7 6 5 4 3 2 1 0

0 Operation Code1 Reserved (formerly LUN) Service Action 2 (MSB)

Logical Block Address 345 (LSB)6 Reserved7 (MSB) Transfer Length (if required)

Parameter List Length Allocation Length 8 (LSB)

9 ControlFigure 2-3: Typical CDB for 10 byte Commands [2-11]

9

Logical Block Address

Logical block address is used to identify the location of the data on the physical medium. The

logical block address on logical units or within a partition on SCSI device volumes begin with

block zero and are contiguous up to the last logical block on the unit or partition. Blocks, which

are measured in bytes, are the smallest unit of measurement on a device. A 10 byte CDB contains

a 32 bit logical block address field.

Transfer Length

The transfer length specified in the CDB indicates to the target the amount of data to be

transferred, which is usually the number of blocks. However, some commands transfer no data at

all. For this reason this field is marked ‘if required’ in Figure 2-3.

Parameter List Length

This field identifies the number of bytes sent from the Data-out buffer. It is typically used for

parameters that are sent to a device server, for example mode parameters, diagnostic parameter,

log parameters, etc. If the parameter length is zero no data is transferred.

Allocation Length

The allocation length field specifies the maximum number of bytes that an application client

wishes to transfer. If the value is zero, then no data will be transferred. This field is used to limit

the maximum amount of data returned to an application client. The data that may be returned is

sense data, mode data, log data, diagnostic data, etc.

Control

The control byte field is used for special operations such as command linking.

10

2.3.2 Logical Unit Numbers

The SCSI protocol defines how to address the various units to which the CDB is to be delivered.

Each SCSI device (target) can be subdivided into one or more logical units (LUs). A logical unit

is a virtual controller that handles SCSI communications on behalf of storage devices in the

target. Each logical unit has an address associated with it which is referred to as the logical unit

number. Each target must have at least one LUN. If only one LUN is present, it is designated as

LUN0 [2-2].

2.3.3 Phases of an I/O Operation

There are three main phases of an I/O operation; ‘Command’, ‘Data’, and ‘Status’. In the first

phase, ‘Command’, the initiator sends the required command and parameters to the target in a

CDB. In the second phase, ‘Data’, data is transferred in accordance with the command issued in

the CDB. The final phase, ‘Status’, provides confirmation that the command executed is received.

As a bare minimum, a SCSI operation consists of the initiator issuing a SCSI command with the

target returning a completion status, but no data is transferred. This type of I/O operation is

shown in Figure 2-4, and occurs when commands such as ‘Test Unit Ready’, ‘Start/Stop Unit’,

or ‘Rewind’ are issued.

SCSI Command

SCSI Status

Initiator Target

Interconnecting subsystem

11

Figure 2-4: Minimum SCSI I/O Operation

An example of a SCSI I/O operation in which data is transferred between the initiator and target

is shown in Figure 2-5. In this case, if data is being transferred (read) from the target to the

initiator, a Data-in PDU is utilized. While in the case of data transferred (written) from the

initiator to the target, a Data-out PDU is utilized. It should be noted that data can be transmitted

all at once or may take a number of data phases to complete the transfer. The types of commands

that involve data transfer are ‘read’, ‘write’, and ‘inquiry’.

SCSI Command

SCSI Status

Initiator Target

Interconnecting subsystem

‘read’ or ‘write’ Data

12

Figure 2-5: SCSI Data I/O Operation

2.4 SCSI Architecture in the Linux Kernel

Figure 2-6 [2-13] shows the location of the SCSI subsystem in the Linux kernel. As can be seen, the

kernel space is layered, the top layer being the ‘System Call Interface’. It is this top layer that

controls the routing of calls from the user space to the appropriate destination in the kernel. The

next layer is the ‘Virtual File System’. It is this layer that routes the requests to the correct file

system within the ‘File System’ layer below. The majority of the file systems, communicate via a

buffer cache which lies between the file system and block device drivers layers. As can be seen in

Figure 2-6, the SCSI subsystem is one such block device driver.

13

Figure 2-6: SCSI Subsystem in the Linux Kernel [2-13]

2.4.1 SCSI Subsystem

The SCSI subsystem is comprised of a three layered architecture as can be seen in Figure 2-7 [2-

14]. The ‘upper layer’ is the main entry point to the SCSI subsystem. It is comprised of drivers for

both block and character devices. The ‘mid layer’ is the unifying layer; it provides common

services for the upper and lower layers. The ‘lower layer’ contains the “actual drivers for the

physical interfaces that are applicable to SCSI” [2-13].

SDdisks

block device{sd_mod.o}

SRcdroms/dvdsblock device{st_mod.o}

STtapes

char device{st.o}

SGpass throughchar device

{sg.o}UpperLayer

MidLayerl

LowerLayer

SCSIUnifying Layer{scsi_mod.o}

scsi.[hc], hosts.[hc], constants.c

Host BusAdapterdrivers

(eg aic7xxx)

Pseudo drivers for non SCSI

buses(eg ide-scsi)

14

Figure 2-7: Three Layered Architecture of the SCSI Subsystem [2-14]

2.4.1.1 Upper Layer

As already stated, the upper layer is the main entry point into the SCSI subsystem. It accepts

requests from outside the SCSI subsystem and converts them into actual SCSI requests. These

requests are then passed to the mid layer. When processing of the request has been completed, a

status call is sent from the mid layer to the upper layer. The upper layer then passes the status to

the external layer from which the request originated [2-15].

As can be seen in Figure 2-7, there are four drivers in the upper layer: disk, tape, CDROM, and a

generic driver. For the purposes of the current project there are only two drivers of interest, the

disk and the generic drivers. As such, the following discussion is limited to these.

15

Disk Driver (sd)

There are two types of SCSI device that are accessible via the disk driver (sd); direct access

devices which are generally magnetic disks and have a SCSI peripheral code of 0, and optical

memory devices which have a SCSI peripheral code of 7. The SCSI disk driver is implemented in

./linux/drivers/scsi/sd.c. The function sd_init_command in this code processes the requests

entering the upper layer converting it into a SCSI read or write command.

Generic Driver (sg)

In comparison to the disk driver, the generic driver (sg) is much more versatile since all types of

devices are accessible via this driver [2-14]. An advantage of the sg driver is that it allows user

applications to send SCSI commands to devices, this is achieved by using commands in the

sg3_utils package.

2.4.1.2 Mid Layer

The mid layer is unifying layer, it defines not only the internal interfaces but also provides

common services to the upper and lower layer drivers. It provides queuing of SCSI commands

between the upper and lower levels. Additionally, it provides error and timeout handling.

2.4.1.3 Lower Layer

The last of the three layers of the SCSI subsystem is the lower layer. It is comprised of a

collection of SCSI low level drivers which are the specific drivers that interface with the physical

devices. Of the many low level drivers, the one of interest in this project is the iSCSI driver.

The iSCSI driver acts as an iSCSI protocol initiator to transport SCSI requests and responses over

an IP network between the client and target storage device. It combines with the TCP/IP stack of

16

the client, the network drivers and Network Controller Interfaces (NICs), thus providing the same

functions as a SCSI adapter driver with an HBA.

2.5 Limitations of SCSI

Although SCSI has been successfully used for many years, it has limited capabilities in terms of

the realization of storage networks due the SCSI bus. The length of the bus limits the distance

over which SCSI may operate (maximum of around 25 meters). In addition, the bus also has

limitations on the number of devices that may be connected to it. Despite these limitations, the

SCSI protocol is still of importance since it can be used with other protocols simply by replacing

the SCSI bus with a different interconnection type, for example fibre channel, IP networks etc.

2.6 iSCSI (internet SCSI)

The limitations of the SCSI bus, identified above, and the increased desire for IP storage led to

the development of a number of new protocols, one of which was iSCSI. iSCSI was developed as

an end-to-end protocol to enable transportation of storage I/O block data over IP networks [2-16, 2-17]

thus dispensing with the physical bus implementation as the transport mechanism. iSCSI works

by mapping SCSI functionality to the TCP/IP protocol. By utilizing; TCP flow control,

congestion control, segmentation mechanisms, IP addressing, and discovery mechanisms, iSCSI

facilitates remote backup, storage, and data mirroring [2-16, 2-18].

2.6.1 iSCSI Protocol

The iSCSI protocol standard [2-20] defines amongst other things, the way SCSI commands can be

carried over the TCP/IP protocol. It defines a naming scheme to provide both initiators and

targets with unique names and also how to establish connections between them. In addition, it

provides the methods by which initiators and targets can authenticate themselves to each other.

17

Hufferd [2-19] provides detailed explanations of all aspects of iSCSI. For completeness, brief

overviews of the main points of interest to this project are provided here.

2.6.1.1 Naming

Each initiator and target node is required to have a single name. This name is used as a part of all

sessions established between them. There are two possible formats for these node names; the

iSCSI qualified name (iqn) format and the enterprise unique identifier (eui) format.

The iSCSI qualified name is presented in a human readable form, an example is shown below:

iqn.1998-03.com.xyc.ajax.wonder.jump

It is comprised of four components. From left to right, in the example, they are the type

designator, iqn, a date (1998-03), a DNS (Domain Name Server) name assigned by an internet

naming authority, and finally additional unique identifiers. The DNS name and unique identifiers

are reversed in the iSCSI qualified name. In the example given above, the original DNS name

would have been ajax.xyc.com and the additional unique identifier would have been

jump.wonder.

Unlike an iqn name, an eui name is written in hexadecimal format. An example of a eui name

could be:

eui.acde48234567abcd

The eui name is constructed from the identity formed using the IEEE EUI format, EUI-64. Every

EUI-64 identity is unique. It is formed by appending the combination of a company ID value and

a value chosen by the company after eui. The combination of these values result in 16

hexadecimal digits (64 bits). The most significant 24 bits are the company ID. This value is

18

assigned to the company by the IEEE Registration Authority. The least significant 40 bits are

chosen by the company. In the example given above, acde48 is the IEEE assigned company ID

and 234567abcd is the extension chosen by the company.

2.6.1.2 Establishing Connections between Initiator and Target(s)

Data is transferred between an initiator and target(s) via an iSCSI session. An iSCSI session is a

physical or logical link which carries TCP/IP protocols and iSCSI PDUs, between an initiator and

target. The PDUs in turn carry SCSI commands and data in the form of SCSI CDBs. There are

two types of iSCSI session; discovery and normal. Before going into specific details of session

establishment and data transfer it is first necessary to understand the iSCSI PDU which is used in

all communications between the initiator and target.

2.6.1.2.1 iSCSI Protocol Data Units

The iSCSI PDU is effectively the equivalent of the SCSI CDB. It is used to encapsulate the SCSI

CDB and any associated data. The general format of a PDU is shown in Figure 2-8. It is

comprised of a number of segments, although in many cases only the basic header segment

(BHS) is used.

The BHS segment layout is shown in greater detail in Figure 2-9; it has a fixed length of 48

bytes. The ‘Opcode’, ‘TotalAHSLength’, and ‘DataSegmentLength’ fields in the BHS are

mandatory in all iSCSI PDUs. Where values are given for the Initiator Task Tag, Logical Unit

Number and Flag fields, they always appear in the same location on the header [2-17].

The Additional Header Segment (AHS) begins with 4-byte Type-Length-Value (TLV)

information. This specifies the length of the actual AHS following the TLV. The Header and Data

19

digests are optional values. Their purpose is to protect the integrity the authenticity of the header

and data respectively. The digest types are negotiated during the login phase.

Byte 0 1 2 3Bit 1 2 3 4 5 6 7 1 2 3 4 5 6 7 1 2 3 4 5 6 7 1 2 3 4 5 6 7

00 --------Basic Header Segment (BHS)

-------- 4748 --------

Additional Header Segment (AHS) (Optional)-------- nnnn + 1 --------

More AHS's (Optional)-------- mmmm + 1 --------

Header Digest (Optional)-------- mm + 4mm + 5 --------

Data Segment (Optional)-------- pppp + 1 --------

Data Digest (Optional)-------- pp + 4

Figure 2-8: General Structure of an iSCSI PDU

Byte 0 1 2 3Bit 1 2 3 4 5 6 7 1 2 3 4 5 6 7 1 2 3 4 5 6 7 1 2 3 4 5 6 7

0 to 3 .| I | Opcode Opcode-Specific Fields

4 to 7Total AHS

LengthData Segment Length

8 t 15 Logical Unit Number (LUN) or Opcode-Specific Fields16 to 19 Initiator Task Tag (ITT) or Opcode-Specific Fields20 to 31 Opcode-Specific Fields32 to 47 Command Descriptor Block (CDB) or Opcode-Specific Fields

Figure 2-9: Basic Header Segment Layout

2.6.1.2.2 Sessions

As stated previously, there are two types of iSCSI session, these are discovery and normal. In

both cases, the establishment of the session normally occurs in three phases, security negotiation

phase, login operational negotiation phase, and full-feature phase.

20

The security negotiation phase is optional. In order to use it, the Current Stage (CSG) field must

be set for security negotiation in the initial login PDU. Since the security negotiation phase is not

used in this project it will not be discussed further.

When in the login operational negotiation phase, requests and responses are exchanged between

the initiator and target. It is only when the target sends its final response that the full feature phase

be entered - assuming that the final response accepted the login. SCSI commands (CDBs) can

only be sent or received in the iSCSI PDUs once the full feature phase has been entered. The

information in the requests and responses varies dependent upon the type of session that is

established.

2.6.1.2.2.1 Discovery Session

The goal of the discovery session is to discover the names and addresses of the target nodes to

which the initiator can connect.

When attempting to login to a discovery session, there are several pieces of information that the

initiator must supply. Firstly, the session to be established must be identified as a discovery

session. This is achieved by declaring key=value and SessionType=Discovery pairs, in the first

login PDU [2-2]. The name of the initiator must also be included in the login request so that the

target entity can identify it, and apply security filters to responses that are sent [2-21]. Finally, the IP

address and TCP port must be specified for the unidentified iSCSI target entity that is listening.

All of this information can be seen in the lower part of Figure 2-10 which shows the Wireshark

network protocol analyzer log of the ‘Login Command’ for discovery. The installation of

Wireshark is discussed in Appendix A.

21

Figure 2-10: Wireshark log for the Login Command for the Discovery Session

Once a successful response is issued by the target, the full feature phase of the discovery session

is entered. An example of a successful login response can be seen in the Wireshark log in Figure

2-11. During this phase the only iSCSI command that can be issued is the ‘SendTargets’

command shown in the log in Figure 2-12. On receipt of this command, the target responds by

sending a ‘SendTargets’ response. This response contains the iSCSI node names of the targets

accessible to the initiator via the IP address and TCP port where the ‘SendTargets’ command was

received. This log is shown in Figure 2-13.

22

Figure 2-11: Login Response for Discovery Session

23

Figure 2-12: Request to SendTargets in Full Feature Phase of Discovery Session

24

Figure 2-13: Response to SendTargets request

2.6.1.2.2.2 Normal Session

The purpose of the normal session is to allow data to be transferred from the initiator to the target

and vice versa. When attempting to login to a normal session, the initiator must specify the names

of the target node and initiator. This information is included in text format in the ‘DataSegment’

field of the PDU; it can be seen in the log shown in Figure 2-14.

25

Figure 2-14: Login Command for Normal Session

2.6.2 Data Transfer between Initiator and Target(s)

Once the full feature phase of the normal session has been established, data can be exchanged

between the initiator and the target(s), and vice versa, using SCSI commands contained within

CDBs sent or received in the iSCSI PDUs.

26

Consider that an application on the initiator wishes to perform storage I/O to/from the target. This

can be broken down into two stages: progression of the SCSI command through the initiator, and

progression of the SCSI command through the target. Details of both are provided below.

To assist in understanding the progression of the commands, the iSCSI protocol layering model is

shown in Figure 2-15 [4-2].

Figure 2-15: iSCSI Protocol Layer Model [4 -2]

2.6.2.1 Progression of a SCSI Command through the Initiator

1. The user or kernel application on the initiator issues a system call for an I/O

operation. This system call is then sent to the SCSI layer (SCSI class driver).

Initiator Target

27

2. On receipt at the SCSI layer, the system call is converted into a SCSI command

such as ‘read’ or ‘write’, and a CDB containing this information is constructed.

The SCSI CDB is then passed to the iSCSI initiator protocol layer.

3. On arrival at the iSCSI protocol layer, the SCSI CDB and any SCSI data are

encapsulated into a PDU. It is then forwarded to the TCP/IP layer.

4. In the TCP layer, the iSCSI PDU is divided into segments, and a TCP header is

added. Next the IP layer encapsulates the TCP segment by adding an IP header

before the TCP header.

5. The IP datagram is then passed to the Ethernet Data Link Layer where it is framed

with Ethernet headers and trailers. The resulting datagram is then placed on the

network.

In the case where native IPsec is utilized, an additional step is required. Immediately after step 4,

described above, the IP packet is passed to the IPsec layer where the TCP payload, headers and

trailers are encrypted and authenticated before being passed to the Ethernet Data Link Layer.

Figure 2-16 shows the iSCSI/TCP/IP/Ethernet transport encapsulation that is placed on the

network in the last step above, when IPsec is not used.

TCP Segment

IP Datagram

Ethernet Frame

EthernetHeader

IP TCP iSCSI SCSI Commands

Optional Data

28

Figure 2-16: Data Encapsulation into Network Packets

2.6.2.2 Progression of a SCSI Command through the Target

1. On receipt at the target, the Ethernet frame is stripped off at the Data Link Layer and the

IP datagram is passed up to the TCP/IP layer.

2. The IP and TCP layers each check and strip off their respective headers leaving the iSCSI

PDU which is passed up to the iSCSI layer.

3. At the iSCSI layer, the SCSI CDB is extracted from the iSCSI PDU and passed along

with its related parameters and data to the SCSI layer.

4. Finally, the SCSI layer sends the SCSI ‘write’ request and data to the LU.

If native IPsec has been used on the initiator, then on receipt at the target the Ethernet Frame is

stripped off at the Data Link Layer as described above. However, the packet is sent to the IPsec

layer where re-authentication will take place. The IPsec headers and trailers are removed before

the packet proceeds to the second step described above.

29

2.7 Implementation of iSCSI

The discussion so far has focused on the theory of iSCSI. It is now necessary to examine the

physical application of iSCSI.

2.7.1.1 iSCSI Host Adapter Implementations

An iSCSI host adapter is used to connect the initiator to the target device on which the data (files)

are to be stored. It is analogous to the SCSI host bus adapter used for direct attached SCSI.

The iSCSI host adapter can be implemented in a number of ways including software only

implementations, software with embedded TCP off-load engines (TOE), and combined TCP/IP

offload, and iSCSI in silicon. Figure 2-17 shows these options. The implementation chosen

depends upon such factors as price, sensitivity, bandwidth requirements, and host (initiator) CPU

overhead requirements [2-22]. In this project and the Efficient Asymmetric Secure iSCSI [1-11]

(EASI) scheme which it aims to enhance, a software only implementation was utilized. However

for completeness, brief discussions of all of the implementations are provided.

2.7.1.1.1 Software iSCSI

Software iSCSI utilizes software applications to enable the initiator and target to communicate

with the iSCSI protocol. The iSCSI drivers can run on off-the-shelf Ethernet NIC or interface. In

this way, block I/O over IP networks can be performed by a server or workstation running iSCSI

in software using an Ethernet adapter. As a result, software iSCSI provides a significant

advantage in terms of cost. However, it has disadvantages in terms of performance and CPU

overhead. In this type of implementation, the CPU must not only carry out the TCP processing

but must also process the iSCSI protocol that is carried by TCP/IP [2-22].

30

Figure 2-17: Options for iSCSI Adapter Implementation [2-22]

2.7.1.1.2 Software iSCSI with TCP Offload

In certain situations, the performance and CPU overhead issues that can arise with software iSCSI

may be unacceptable. In this case, TCP offload can provide a better option. A TOE is basically an

integrated component which assembles TCP packets before they are sent out and disassembles

the TCP packets when they are received. By utilizing TOEs, significant processing overhead that

would otherwise be incurred by the host CPU is off-loaded to a host network interface card. Thus,

rather than having to carry out both the TCP and iSCSI processing, the CPU only has to carry out

the iSCSI processing [2-22].

31

2.7.1.1.3 Hardware iSCSI with TCP Offload

This type of implementation provides high speed iSCSI transport with minimal CPU overhead.

This is achieved by offloading processing of the iSCSI in the TCP protocol to a specialized card.

It does however have the disadvantage of a significant cost burden due to the requirement of a

specialized interface adapter card [2-22].

2.7.1.2 Software iSCSI Implementations

During this project, software iSCSI was utilized. A variety of different software implementations

are available, however, only the initiator and target implementations used in this project are

discussed.

2.7.1.2.1 Open-iSCSI

Open-iSCSI is a “high performance, transport independent, multi-platform implementation of

RFC3720 iSCSI” [2-20] for initiators. The implementation is partitioned into two sections: user and

kernel. The kernel portion is comprised of three loadable modules: scsi_transport_iscsi.ko,

libiscsi.ko and iscsi_tcp.ko. It is through these modules that the kernel portion implements the

iSCSI data path (iSCSI ‘read’ and iSCSI ‘write’). The iSCSI daemon (iscsid) is part of user

space. It implements the control path of the iSCSI protocol. In addition, it can also be used to

implement certain management facilities.

Like the iSCSI daemon, the iSCSI configuration utility (iscsiadm) is part of the user space. It is

used to manage the persistent database by allowing the user to perform operations, via the

command line, on the iSCSI nodes, sessions, connections, and discovery records which are stored

in the database.

32

2.7.1.2.1.1 Open-iscsi-0.4-434

The Open-iSCSI project is under continual development and as such, numerous versions of the

software are available. At the time of writing, the latest semi-stable release is open-iscsi-2.0-

869.2. This version requires a Linux kernel version of 2.6.16 or greater. However, the EASI [1-11]

scheme utilized an earlier version, specifically open-iscsi-0.4-434. It is this version that was used

predominantly in this project. That being said, the current version (open-iscsi-2.0-869.2) was

utilized with Linux kernel 2.6.23.17 for additional research carried out during this project.

2.7.1.2.2 iSCSI Enterprise Target (IET)

iSCSI Enterprise Target is open source software, it enables the building of a target iSCSI storage

system on Linux. IET can provide regular files, block devices, and virtual block devices to the

initiator as storage media. It is comprised of kernel modules, a daemon (ietd), and control tool

(ietadm). The latter is used for managing the IET software dynamically.

2.7.1.2.2.1 iscsitarget-0.4.11

The iSCSI target software, like the initiator software, is under constant development. At the time

of writing, the latest stable version is 0.4.16. This version requires a Linux kernel version of

2.6.14 or greater. The version used in the EASI [1-11] scheme was 0.4.11 and it is this version that

is used predominantly in this project. However, the 0.4.16 version was utilized with Linux kernel

2.6.23.17 for additional research carried out during this project. Details of the installation and

configuration of open-iscsi version 0.4-434 and iscsitarget version 0.4.11 are available in the

report on EASI [1-11] and are not reproduced here.

33

2.7.2 sg3_utils and sg_dd

The EASI [1-11] scheme utilized the sg_dd utility from the sg3_utils package for reading and

writing between the initiator and target. In order to develop the enhancements proposed for this

project, it was necessary to gain an understanding of not only the sg_dd utility but also the

sg3_utils package.

The sg3_utils package contains low level utilities for devices using the SCSI command sets; it

utilizes the sg interface described earlier. The utilities can be categorized as; variants of the Unix

dd command, scanning and mapping utilities and, SCSI support and timing and testing. Of the

multiple utilities in the package, only one is of specific interest to this project - the sg_dd utility

which is described below.

The sg_dd utility [2-23] from the sg3_utils package [2-24] is a specialized variant of the standard Unix

dd command for copying files. It is specialized for block oriented devices that use the SCSI

command set in the Linux operating system [2-23]. Although the basic syntax of sg_dd is the same

as that of the dd command, additional syntax is supported. The syntax as used in this project is

presented below. Full syntax information can be found in the sg3_utils README files [4-8].

A typical example of the sg_dd command syntax used in this project is:

sg_dd if=test.txt of=/dev/sdb bs=1024 bpt=1 odir=1 count=1024 skip=0 seek=0

The above command copies 1024 x 1024 byte blocks from the file test.txt to the device associated

with /dev/sdb. Descriptions of the various options are given in the Table 2-1.

34

sg_dd Option Default Description

if = IFILE stdin File (or device) to read from.

of = OFILE stdout File (or device) to write to

bs = BS 512 Number of bytes in each block

bpt = BPT 128 or 32BPT is the blocks per transfer.The default is 128 with BS < 2048 bytes otherwise the default is 32

odir = 0|1 0 O_DIRECT flag on open() when set

count = COUNTThe blocks in

The number of blocks to copy. the IFILE

skip = SKIP 0The block number (origin 0) in the IFILE to commence reading

seek = SEEK 0The block number (origin 0) in the IFILE to commence writing.

Table 2-1: sg_dd Options

2.7.3 iSCSI and Data Security

iSCSI itself does not provide security to data, however, it was developed to allow the

implementation of a variety of security measures. Since it utilizes IP for transport, IPsec would

seem to be an obvious solution for providing security, especially as it requires no special

negotiations between iSCSI end devices. Therefore, IPsec is described in detail in the next

chapter.

35

Chapter 3

3. IPsec

In its standard form, IP does not provide any security during the transmission of data. However,

security can be implemented using the IPsec protocol, which is an extension of the IP protocol.

It can provide security (authentication, integrity, and confidentiality) to IP and the upper layer

OSI (Open Systems Interconnection) protocols [3-1] during transmission.

IPsec is comprised of three sub-protocols [3-1]; Authentication Header (AH), Encapsulating

Security Payload (ESP), and the Internet Key Exchange (IKE). The AH and ESP protocols can be

used separately or in combination [3-2, 3-3]. In addition, two possible modes exist for exchanging the

secured data; these are tunnel and transport modes.

In the EASI [1-11] implementation, ESP and IKE were utilized with the transport mode selected.

The native IPsec implementations of ESP and IKE were utilized to transmit data securely

between the initiator and target. However, to enable the data to be stored encrypted on the target,

modifications were made to the ESP code.

Since the goals of this project are to provide enhancements to the EASI implementation, only

IKE and ESP in transport mode will be discussed in any great detail. However, for completeness,

a brief overview will be provided of AH and tunnel mode.

36

3.1 IPsec Security Associations and Security Policies

IPsec Security Associations (SAs), Security Policies (SPs) and their respective databases play an

important role in the application of the IPsec protocol. They are used to determine how datagrams

entering or leaving IPsec capable devices are handled.

3.1.1 Security Policies and Security Policy Databases

SPs are rules programmed into IPsec which are used to identify which network traffic should be

protected. The parameters defined by the SP are: source and destination addresses of the packets

to be protected, the protocol and port number requiring protection, and the SAs used to protect

the packets. These parameters are stored in a Security Policy Database (SPD). A typical example

of an SPD entry used in this project is shown in Figure 3-1. The command to add an SP is as

follows:

spdadd 192.168.2.69 192.168.2.64 any –P in ipsec esp/transport//require;

When a packet is received by a device, the device checks the SPD to determine how it should be

processed. It may be that the packet does not need to be processed by IPsec, alternatively it may

require to be processed with AH and/or ESP, in which case reference must be made to the

associated SA.

37

Figure 3-1: Example of Security Policy Database Entries

3.1.2 Security Associations and Security Association Databases

The SA specifies how the packet should be protected by IPsec by describing the relationship

between two or more devices in terms of the security services that the devices will use to

communicate. An SA consists of the following fields: source and destination addresses of the

devices protecting the packets, the IPsec protocol to be used (ESP or AH), the algorithm and

secret key to be used by the protocol, and a Security Parameter Index (SPI). The SPI is used to

identify the particular SA. Additional fields that may be specified include the IPsec mode

(transport or tunnel), the lifetime of the SA, and the size of the sliding window if the packet is to

be protected against replay attacks. All of these fields are stored in the device’s Security

Association Database (SAD). The command to add a SA is as follows:

add 192.168.2.64 192.168.2.69 esp 0x201

-E aes-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831

-A hmac-md5 "authentication!!" ;

Although SAs define the source and destination addresses of the devices, they are unidirectional

and can only protect one direction of traffic [3-4]. Therefore, in order to protect both directions in

38

two-way communications, there must be an SA for each direction. An example of an SAD used

on the initiator in this project is shown in Figure 3-2.

Figure 3-2: Example of Security Association Database Entries

3.2 Transport and Tunnel Modes

It has already been stated that IPsec can be used to protect traffic in one of two modes – transport

or tunnel. The IPsec transport mode is used to protect transmitted data end-to-end between hosts

[5-3]. Only the data (payload) contained in the IP packet is encrypted and/or authenticated. This is

achieved by processing the packet with the relevant IPsec protocol and inserting the IPsec header

between the IP header and the upper layer protocol header [3-4].

In comparison, in tunnel mode the entire IP packet is protected during transportation between

hosts. This is achieved by completely encapsulating the original IP packet with a new packet [3-1, 3-

4]. When the packet is processed by the relevant IPsec protocol, the IPsec header is inserted in

front of the original IP header and a new IP header is added in front of the IPsec header. The

IP AH ESP TCP Data

IP TCP

DataDataDataAH ESP IP TCP

Data

IP

Transport Mode

Original Packet

TunnelMode

New IPHeader

39

packets created for transport and tunnel modes using the IPsec AH protocol are shown in Figure

3-3.

Figure 3-3: Packets for IPSec Tunnel and Transport Mode [3-5]

3.3 Authentication Header

The AH protocol provides authentication and data integrity but not confidentiality. Since this

project focuses on encryption, AH will be described in general terms only. Its use with transport

and tunnel modes will not be discussed.

Authentication of the packet can be provided to all or part of the contents of the packet [3-1]

dependent upon the mode in which AH is used, tunnel or transport. In order to provide

authentication, IPsec computes a cryptographic hash-based message authentication code

(HMAC). The HMAC is created using a hash algorithm such as MD5 or SHA, with the hash

Original IPHeader

40

calculated based on a secret key and contents of the IP packet [3-4]. The HMAC is then stored with

other data in the IPsec AH header. The general format of the AH header is shown in Figure 3-4.

0 1 2 3

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7

Next Header AH Length Reserved

Security Parameters Index (SPI)

Sequence Number (Replay Defense)

Hash Message Authentication Code (variable)Figure 3-4: Format of AH Header

It has already been stated that the HMAC is stored in the AH. However, for completeness, the

other fields in the AH are described in Table 3-1.

AH Header Field Description

Next Header Protocol type of the following payload

AH Length Total length of AH header in 32-bit words

Reserved 2 bytes reserved for future use

Security Parameter Index Security association to be used when packet is

decapsulated

Sequence Number (Replay

Defense)

Used to protect the packet against replay attacks

Table 3-1: Descriptions of AH Header Fields

41

3.4 Encapsulating Security Payload

The ESP protocol can provide not only confidentiality of a packet, but can also optionally provide

authentication. Authentication with ESP is achieved in a similar manner to that of AH. First, the

packet is encrypted and then the HMAC is computed. Unlike AH, the authentication does not

cover the entire IP packet, rather it covers the ESP header and encrypted payload [3-3].

In simplistic terms, ESP provides packet confidentiality by encrypting the IP packet. The data

contained within the packet is transformed into an encrypted form by combining it with a key

using an encryption algorithm. The encrypted packet is then repackaged using a special format

and transmitted to its destination, where it is decrypted with the same algorithm and key. The

format of the ESP header is shown in Figure 3-5.

There are three basic steps performed by ESP, they are:

Header calculation and placement

Trailer calculation and placement

ESP authentication field calculation and placement

3.4.1 ESP Header Calculation and Placement

The ESP header is comprised of two fields, the SPI and the Sequence Number. These two fields

also appear in AH. The SPI is a 32 bit number used to uniquely identify a particular SA for a

connected device. The Sequence Number is effectively a counter which is initialized when an SA

is formed between two devices. It is used to provide protection against replay attacks, since its

value is incremented for each packet sent using the SA.

The placement of the ESP header depends upon the mode in which ESP is being used; transport

or tunnel. When ESP is operating in transport mode, the header appears after the original header,

42

while in tunnel mode, the ESP header is placed after the IP header of the new datagram thus

encapsulating the original.

0 1 2 3

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7

Security Parameters Index (SPI)

Sequence Number

Initialization Vector

Payload * (variable)

Padding (0-255 bytes)

Pad Length Next Header

Hash Message Authentication Code (variable)Figure 3-5: Encapsulating Security Payload Header Format

3.4.2 ESP Trailer Calculation and Placement

The ESP trailer is appended to the data to be encrypted. It is comprised of three fields; Padding,

Pad Length, and Next Header. The main purpose of the trailer is to provide any padding required

to align the data for encryption. The actual padding is taken care of in the Padding field, while the

Pad Length field specifies the number of bytes in the Padding field. The Next Header field

contains the protocol number of the next header in the datagram. This protocol number specifies

which header should be examined next; this could be the destination options extension header, the

TCP/UDP header, or the IP header. The header to which it refers depends on which mode is being

43

used. When operating using ESP in transport mode the Next Header references the TCP/UDP

header, while when using ESP in tunnel mode the Next Header references the IP header.

Once the trailer is in place, and if ESP is operating in transport mode, the payload (TCP/UDP

message) and trailer are encrypted. If operating in tunnel mode, the encapsulated IP datagram and

trailer are encrypted.

3.4.3 ESP Authentication Field Calculation and Placement

The authentication field is optional and is used when the ESP authentication feature is used. The

field contains an Integrity Check Value (ICV). It is computed over the entire ESP datagram.

3.5 Internet Key Exchange

In order to work, IPsec relies on the fact that the devices exchanging information share a common

piece of information - a secret that is used by the security protocols. This highlights one of the

problems associated with secure communications – how to securely exchange this secret piece of

information. The IKE protocol of IPsec addresses this issue. IKE is used to exchange SA

proposals and negotiates these associations based on the Internet Security Association and Key

Management (ISAKMP) protocol.

The IKE protocol functions in two phases. During the first phase, agreement is made between the

two devices as to how they will communicate future information in a secure manner. The

authentication of the two devices is usually based on pre-shared keys (PSK), RSA keys, and

x.509 certificates [3-4]. The negotiation between the two devices results in the creation of a SA for

ISAKMP. This SA is then used to securely exchange information in the second phase [3-1]. The

attributes negotiated in this phase include; the encryption algorithm to be used, a hash algorithm,

44

an authentication method, and a Diffie Hellman group. During the second phase, the IPsec SAs

are negotiated and setup using the ISAKMP SAs.

45

Chapter 4

4. Efficient Asymmetric Secure iSCSI

This project focuses on the use of iSCSI as a secure online storage solution. It builds on the

Efficient Asymmetric Secure iSCSI (EASI) [1-11] scheme developed and implemented by Mr.

Andukuri. Therefore, it is necessary to review his work in order to develop enhancements for the

current project.

4.1 Review of Efficient Asymmetric Secure iSCSI (EASI)

As has been stated earlier, iSCSI does not provide security to user data when it is transmitted.

However, it does allow for the provision of security of the data in transit through the use of

standard IPsec. That being said, neither iSCSI nor IPsec provide security of the data once it is

saved on the storage device. Thus, the main goal in the development of the EASI scheme

developed and implemented by Mr. Andukuri was to address this limitation. Since IPsec can

provide security for data in transit, he chose to enhance standard IPsec to additionally provide

security of stored data.

4.1.1 EASI Enhancements to IPsec

In his EASI [1-11] scheme, Mr. Andukuri proposed that security of stored data could be achieved

via a dual-key cryptographic enhancement to IPSec. In brief, the user data to be stored would be

encrypted at the IPsec layer using a custom key. The TCP packet then used to transmit the user

data would then be encrypted using a different key. On receipt at the storage device, only the

encryption on the TCP packet would be removed. An overview of the EASI implementation is

shown in Figure 4-1.

Only headers Encrypted here

scsi

iscsi

tcp

ip

ipsec

Encryptedpayload

Encryptedpayload

Target

To iscsitarget

To iscsiinitiator

Payload decrypted herewithCustom key

PayloadEncrypted withCustom key

scsi

iscsi

tcp

ip

ipsec

Unencryptedpayload

Initiator

Only headers Decrypted here

46

Figure 4-1: Efficient Asymmetric Secure iSCSI Scheme [1-11]

The EASI enhancements to IPSec can be considered to be comprised of four sections:

1. Sending side code for the initiator.

2. Receiving side code for the target.

3. Sending side code for the target.

4. Receiving side code for the initiator.

47

The iSCSI protocol does not have a protocol ID associated with it. However, an iSCSI target uses

a default port of 3260. Consequently, since TCP headers contain fields for both source and

destination ports, the information contained in these field can be used to identify iSCSI traffic.

4.1.1.1 Sending side code on the initiator

When writing user data (payload) from the initiator to the target, the steps carried out in the

sending side of the code for the initiator are as follows:

1. Identify all iSCSI traffic.

This is achieved by examining the destination port field in the TCP header. If the

destination port is 3260, then iSCSI traffic is being sent to the target.

2. Determine if the iSCSI traffic contains user data.

User data is carried to the target in a Data-out PDU. Therefore, it is possible to determine

if there is likely to be user data by examining the ‘opcode’ in the iSCSI header. If the

‘opcode’ value is ,5 then there is a Data-out PDU which may contain user data. In order

to confirm whether or not user data is present, the length of the packet must be

determined. If the length of the packet exceeds the length of the headers plus the TCP

header offset from IP, then the packet contains user data.

3. Encrypt packets not containing user data.

iSCSI packets not containing user data are routed through native IPsec. The TCP and

iSCSI header combination is treated as a unit. The unit is checked to see if it is the correct

size for the encryption algorithm. If necessary, padding is appended at the end of the

TCP/iSCSI unit. The padding is computed based on the algorithm block size. The

TCP/iSCSI unit is then encrypted using IPsec keys generated by IKE.

48

4. Encrypt packets containing user data.

The encryption of packets containing user data is split into four sections.

a. Verifying Headers.

It is first necessary to check to see if the combination of the TCP header and iSCSI

header is an integer multiple of block size. This is done because the encryption algorithm

requires that each packet is a certain bock size. Ordinarily the block size is achieved by

padding the TCP packet by adding a trailer containing the padding at the end of the

packet. However, the presence of the user data (payload) following the TCP and iSCSI

headers precludes padding being added at the end of the packet. In addition, the BHS of

the iSCSI header is a fixed length of 48 bytes. Therefore, there is no room for padding.

Consequently, any padding required has to be added to the end of the TCP header such

that it is between the TCP and iSCSI headers. In order to achieve this, the TCP header

has to be moved to create a gap between it and the iSCSI header into which padding can

be inserted. The gap created is the same size (in bytes) as the padding required. This

packet modification is shown in Figure 4-2.

b. Encrypt the user data.

The next stage of the process is to isolate the user data and encrypt it using the custom

key. This key is generated independently of the IKE mechanism and is not shared with

the target. It should be noted that one of the limitations of the iSCSI scheme is that the

user data must be block size, or an integer multiple of block size. In the EASI scheme the

block size is 1024 bytes.

49

c. Re-compute the TCP checksum and update the TCP header with this value.

Once the user data has been encrypted, the TCP checksum is recomputed to reflect the

new length of the packet produced by the addition of padding. The TCP header is then

updated with the value.

d. Encrypt the TCP and iSCSI headers.

Finally, the TCP and iSCSI headers are encrypted using IPsec keys generated by IKE.

Figure 4-2: Packet modification under proposed scheme [1-11]

50

4.1.1.2 Receiving side code on the target

When writing user data from the initiator to the target, the steps carried out in the receiving side

of the code for the target are as follows:

1. Identify iSCSI traffic.

The packets arrive at the IPsec layer of the target in an encrypted form. Therefore, to

identify iSCSI traffic the packet must be decrypted using the IPsec keys generated by

IKE, to reveal at least the first 32 bytes of the TCP header. This allows the source and

destination port fields to be examined. If the destination port field value is 3260, then

there is iSCSI traffic coming from the initiator to the target.


The next step is to decrypt the packet to the end of the iSCSI header. This is achiveved

using the IPsec keys generated by IKE. If the ‘opcode’ in the iSCSI header is 5, then

there is a Data-out PDU which may contain user data. Confirmation that user data is in

fact present is achieved by checking the length.

3. Decrypt packets not containing user data.

If the packet does not contain user data, then the remainder of the packet is decrypted

using the IPsec keys generated by IKE.

4. Process packets containing user data.

If the packet contains user data, it should not be decrypted since it is to be stored on the

target storage in an encrypted form. However, the ESP header must be removed and the

‘next’ header must be set to TCP. The packet is then passed to the upper layers for

processing and finally stored in an encrypted form.

51

4.1.1.3 Sending side code on the target

When reading user data from the target to the initiator, the steps carried out in the sending side of

the code for the target are as follows:

1. Identify all iSCSI traffic.

This is achieved by examining the source port field in the TCP header. If the source port

is 3260, then iSCSI traffic is being sent from the target to the initiator.

2. Determine if the iSCSI packet contains user data.

User data is carried to the initiator in two packets: a Data-in PDU which contains the

length of the data to be sent in its header. This packet is followed by a plain vanilla TCP

packet with the ‘push’ bit set in the header. It is in this TCP packet that the user data is

sent.

Therefore, the presence of user data can be determined by examining the ‘opcode’ in the

iSCSI header and the ‘push’ bit in the TCP packet. If the ‘opcode’ is 37, then there is a

Data-in PDU and the ‘push’ bit is set in the TCP packet then there is user data.

3. Encrypt packets not containing user data.

This is achieved using the same method described in step 3 of section 4.1.1.1.

4. Encrypt packets containing user data.

The encryption of packets containing user data is split into three sections.

a. Verifying Headers.

This is achieved using the same method described in step 4a of section 4.1.1.1.

52

b. Re-compute the TCP checksum and update the TCP header with this value.

This is achieved using the same method described in step 4c of section 4.1.1.1.

c. Encrypt the TCP header and iSCSI header.

This is achieved using the same method described in step 4d of section 4.1.1.1.

It should be noted that it is not necessary to encrypt the user data when it is being read

from the target since it is already in an encrypted form.

4.1.1.4 Receiving side code on the initiator

When reading user data from the target to the initiator, the steps carried out in the receiving side

of the code for the initiator are as follows:

1. Identify iSCSI traffic.

The packets arrive at the IPsec layer of the initiator in an encrypted form. Therefore, to

identify iSCSI traffic, the packet must be decrypted using the IPsec keys generated by

IKE, to reveal at least the first 32 bytes of the TCP header. If the source port field value is

3260, then there is iSCSI traffic coming from the target to the initiator.


When user data is read from the target to the initiator, the data is carried in two packets: a

Data-in PDU, which contains the length of the data to be sent in its header. This is

followed by a plain vanilla TCP packet with the ‘push’ bit set in the header. It is in this

TCP packet that the user data is sent.

Therefore the presence of user data can be determined by examining the packet to see if

there is an iSCSI header. If there is no iSCSI header, then the packet is a TCP packet

53

which may contain user data. If the ‘push’ flag is set, and the length of the packet exceeds

that of just the TCP header, then there is user data.

3. Decrypt packets containing user data.

The decryption of packets containing user data is split into two sections.

a. Decrypt the user payload.

If the packet contains user data, the user data is isolated and decrypted using the custom

key.

b. Re-compute the TCP checksum and update the TCP header with this value.

Once the user data has been decrypted, the TCP checksum is recomputed and the TCP

header is updated with the value.

4. Decrypt packets not containing user data.

If the packet does not contain user data, then the remainder of the packet is decrypted

using the IPsec keys generated by IKE.

4.2 Motivation for Enhancing EASI

The EASI scheme goes a long way to addressing the issues of online data storage. However, in

order to bring the implementation closer to a complete and usable secure data transfer/storage

system, a number of areas have been identified that need further consideration. The areas selected

for further investigation in this project are discussed in the following section.

4.2.1 Goals for the Secure Asymmetric iSCSI System for Online Storage

The existing EASI implementation permits only the transfer of block size data or integer

multiples of block size. Any attempts to transfer non-block size (arbitrary size) files results in the

54

encryption scheme breaking. Obviously, it is highly desirable to be able to transfer files of

arbitrary size. Thus, this is one of the areas that are addressed in this project.

A second area which needs addressing is the enhancement of the EASI scheme to allow for

duplicate transfer of files to a second target storage device. This would potentially provide

additional disaster recovery support.

Another limiting area identified in the EASI scheme is the complexity in terms of the

configuration that needs to be undertaken by the user. In order to make the implementation more

complete, and in order for it to be more widely accepted, simplification of the configuration is

desirable. The obvious way to achieve this is through the development and implementation of a

graphical user interface (GUI) or an application program interface (API).

In addition to the above goals, a further goal is to investigate the potential for using the

implementation in a disaster recovery goal.

Having gained an understanding of the existing EASI scheme and goals for the current project,

the next stage was to test the existing EASI scheme. This testing is described in the next chapter.

55

Chapter 5

5. Testing of EASI Implementation

Prior to developing detailed proposed enhancements for this project, it was first necessary to test

the EASI implementation. In this way, the problems associated with transferring files of arbitrary

size could be more clearly understood. In addition, it would enable other limitations, which may

affect potential enhancements, to be identified and understood.

5.1 Test Bed

Although a physical test bed with the EASI implementation was available, a decision was made

to preserve it. It was decided to recreate the EASI implementation using VMware Server, a server

virtualization software.

In order to gain a full understanding of the EASI scheme, attempts were made to recreate both the

initiator and target machines. Two virtual machines were created using Fedora Core 4 as the

operating system. Since the EASI scheme utilizes the Linux 2.6.12.1 kernel, the source code for

this kernel was installed on the virtual machines. Attempts were then made to incorporate the

changes to the IPsec code which had been made in the EASI scheme. However, these attempts

were unsuccessful.

In view of the problems encountered, a decision was made to clone the physical test bed for use

as a virtual machine. This was achieved using the UltimateP2V software plug-in; details of the

procedure and the subsequent installation of the clones on the VMware Server are provided in

Appendix B. A schematic of the resulting virtual machine test bed is shown in Figure 5-1. The

test bed was comprised of a laptop running Windows XP Pro, on which VMware Server 1.04 was

installed. The virtual machine images were stored on an external hard drive.

VMware Server 1.04

Physical Host IP: 192.168.2.100

iSCSI Initiator

VMware instance running linux-2.6.12.1 and

open-iscsi-0.4-434

VMware specifications:

Physical Memory: 256MB

IP: 192.168.2.64

iSCSI Target 1


iscsitarget-0.4.11



IP: 192.168.2.69

iSCSI Target 2


iscsitarget-0.4.11



IP: 192.168.2.25

Host: Laptop running Windows XP Service Pack 2Physical Memory: 2GB

Processor: AMD Turion 64 Mobile 2 GHzHard Disk: 80 GB

External Hard Disk: 500GB

56

Figure 5-1: Schematic of Test Bed

5.2 Limitations of using a File as a Target Storage Device

The EASI implementation utilizes a file as a target storage device. Testing revealed that, although

suitable as a proof-of-concept, using a file as target storage has severe limitations. For example, a

user is limited to storing only one file at a time. Any attempt to store another user file results in

overwriting of the user file currently residing on the target storage. The overwrite may be partial

or total, dependent on the size of the user file already stored on the target and the size of the new

file being written to the target storage. In addition, the pre-set size of the target storage file limits

the size of the user file which can be stored upon it. These limitations preclude using a file as a

57

target storage device in a real world environment. As a result of these findings, it was decided to

test the EASI scheme not only with a file as a target storage device, but also using a mounted file

system as target storage.

5.3 Copying User Files using the sg_dd and cp utilities

The EASI scheme utilizes the sg_dd utility on the initiator to write/read user files to/from the

target storage. The files which can be written/read using the scheme must be block size (1024

bytes), or integer multiples of block size. In order to write/read files or arbitrary size, Mr.

Andukuri [1-11] stated that it would be necessary to utilize a different utility such as the cp utility.

Therefore, to fully test the EASI implementation, files were written/read by the initiator to/from

the target using both the sg_dd and cp utilities. For completeness, the tests were repeated using

the EASI scheme and also without using any encryption scheme.

5.3.1 Writing/Reading Files to a Target Storage File using sg_dd

As stated in Chapter 2, the command utilized to write a user file to target storage is:

sg_dd if=test.txt of=/dev/sdb bs=1024 bpt=1 odir=1 count=1024 skip=0 seek=0

and the command to read a file from the target storage is:

sg_dd if=/dev/sda of=test_ret.txt bs=1024 bpt=1 odir=1 count=1024 skip=0 seek=0

The various options were discussed in Chapter 2. However, in view of their relevance to the

following discussion, the ‘bs’ and ‘count’ values are described again here.

The ‘bs’ option is used to specify the size of the blocks to be written/read, which in the

commands shown above is 1024 bytes. If no ‘bs’ value is specified, a default value of 512 bytes

is used. The ‘count’ option is used to specify the number of blocks to be written/read. If the

58

‘count’ value is omitted, attempts are made to determine the value to be used by examining the

input and output devices, which are represented by ‘if’ and ‘of’ respectively.

As expected, the sg_dd utility could be successfully used to write/read block size files, or integer

multiples of block size files, to/from the target storage file. This was possible both with and

without the EASI scheme in place. However, it was noted that it was necessary to specify the ‘bs’

(block size) and ‘count’ (number of blocks to be written/read) values in the sg_dd command in

order for some writes/reads to be successful, this is discussed below.

Without the EASI scheme, it was found that if both the ‘bs’ and ‘count’ values were omitted, the

file was successfully written to the target, although a message was displayed indicating that the

block size was being assumed to be 512 bytes, the default value. However, when reading from the

target, if both the ‘bs’ and ‘count’ values were omitted, the complete target storage file was read

irrespective of its size and whether or not it had any data on it.

In the case where the EASI scheme was used, omission of the ‘bs’ value was problematic since

its default value was 512 bytes and because the EASI scheme requires a block size of 1024 bytes.

If a ‘bs’ value was specified but the ‘count’ value was omitted, no write/read occurred and an

error message was displayed. The reason for this was that with this particular test bed, the target

was seen as a block device with a block size of 512 bytes while the specified ‘bs’ was 1204 bytes.

Consequently, the ‘count’ value could not be determined. The error messages for the write and

read are shown in Figures 5-2 and 5-3 respectively.

59

Figure 5-2: Error Message displayed when writing a User File from Initiator to Target without specifying a ‘count’ value

Figure 5-3: Error Message displayed when writing a User File from Target to Initiator without specifying a ‘count’ value

60

5.3.2 Writing/Reading Files to a Target Storage File using cp

The cp utility was used to write/read user files to/from the target storage file using both the EASI

scheme and without encryption. When writing block size or integer multiples of block size files

using EASI, it was found that the write was successful and the user file was stored in an

encrypted form. However, when attempting to read the user file back to the initiator two issues

were identified.

1. The data read to the initiator was found to be the same size as the entire target storage

file.

2. Although the file should have been decrypted when it was read back to the initiator, it

was found to still be in an encrypted form.

The fact that the file had not been decrypted was not altogether unexpected, since the EASI

scheme was designed for use with block size or integer multiples of block size files. Since the cp

utility was not specifically designed for block transfers, it does not allow for the specification of

the number of blocks to be transferred, or the size of the blocks.

What was of interest, but in hindsight not entirely unexpected, was the size of the file read back

to the initiator. The reason that the entire target storage file was read back can be easily

explained. The cp utility was designed to copy files and since the target storage is in fact a file, it

would be expected that it would be read to the initiator in its entirety.

If the sg_dd utility was used to read from the target, when the write had been carried out with the

cp utility, it was found that the file would be in its decrypted form on the initiator. However, it

was necessary to specify the appropriate ‘count’ value for the file. This is of interest since it

suggests that if the cp utility could be modified to allow the specification of a ‘count’ value, then

it could be used to read the user file from the target storage file. However, due to the block size

61

limitation of the EASI scheme, the file being read would still have to be block size or an integer

multiple of block size.

For completeness, attempts were made to write/read arbitrary sized files using the cp utility and

the EASI scheme. Examination of the target storage file after the arbitrary size file had been

written revealed that the contents of the storage file were encrypted. However, it was not known

if they had been successfully encrypted. In an attempt to determine if the encryption had indeed

been successful, the sg_dd utility was used to read the user file back to the initiator. Since the file

that had originally been written was not block size, it was necessary to specify a ‘count’ value of

the next block size above the arbitrary size so that the read with sg_dd would be successful.

Examination of the file read back to the initiator revealed that it had been successfully decrypted.

This indicated that it had originally been encrypted correctly when the file was written with the cp

utility. However, since it was necessary to read slightly more of the target file using the sg_dd

utility; it was found that the additional bytes read contained what appeared to be garbage. Further

examination of these bytes suggested that they had in fact been white space on the target storage

file, therefore when the file had been read with sg_dd, the EASI scheme had decrypted them. A

screen shot of the output is shown in Figure 5-4.

When an attempt was made to read the user file from the target storage file using the cp utility, it

was found that the decryption failed, and the entire target storage file was read back to the

initiator.

62

Figure 5-4: Output of file read back to the Initiator using the sg_dd utility

5.3.3 Writing/Reading Files to a Mounted Target Storage File System

As has already been stated in this report, there are limitations when using a file as a target storage

device. Therefore, it was decided to add a second virtual hard disk to the target virtual machine,

and use this as the storage device. Details of adding the second hard disk, the procedure for

creating a file system upon it, and mounting it on the initiator are provided in Appendix C.

5.3.3.1 Writing/Reading Files to Mounted Target Storage without Encryption

When attempting to write/read files to a mounted target file system without using any encryption,

it was found that files could be successfully written/read using both the sg_dd and cp utilities.

63

5.3.3.1.1 Writing/Reading with the sg_dd Utility

When using the sg_dd utility to write/read to/from mounted storage, it was found that it was still

necessary to specify the ‘count’ value. This was to be expected since the block size of 1024 bytes

used in the sg_dd command was at odds with the block size of the storage. In addition, it was

found that it was necessary to specify the mount point of the storage along with a file name which

would be used to store the user file. Examples of the commands to write/read using the sg_dd

utility are shown below:

To write files to the target use:

sg_dd if=test_file_1K.txt of=/mnt/iscsi_disk/test1K.txt bs=1024 bpt=1 odir=1 count=1 skip=0

seek=0

To read files from the target use:

sg_dd if=/mnt/iscsi_disk/test1K.txt of=test1K_ret.txt bs=1024 bpt=1 odir=1 count=1 skip=0

seek=0

5.3.3.1.2 Writing/Reading with the cp Utility

When writing/reading files to a mounted storage device using the cp utility, it was found that

unlike the case of the un-mounted target storage file, the reading of a file from the mounted

storage device resulted in only the relevant file data being read. Examples of the commands to

write and read files to mounted storage using the cp utility are shown below.

To write files to the target use:

cp test_file_1K.txt /mnt/iscsi_disk/

To read files from the target use:

cp /mnt/iscsi_disk/test_file_1K.txt test1K_ret.txt

64

Having ascertained that both cp and sg_dd could be used to write/read files from mounted storage

without encryption or with native IPsec encryption, the next stage was to determine if writes and

reads would be successful with the EASI encryption scheme in place.

5.3.3.2 Writing/Reading Files to/from Mounted Target Storage using EASI

On attempting to mount the target storage device on the initiator when using the EASI scheme, it

was found that mounting failed, and the following error message was displayed.

[root@siscsi test_files]# mount /dev/sda /mnt/iscsi_disk/

mount: wrong fs type, bad option, bad superblock on dev/sda, missing codepage or other error

Obviously since the mount failed, it was not possible to write/read files to the storage. Since this

problem had not been encountered when no encryption or native IPsec was used, it seemed likely

that the problem arose from commands issued during mounting being interpreted as user

(payload) data by the EASI scheme. In an attempt to determine whether or not this idea was

correct, it was decided that some additional research should be carried out to determine the

packets passing between the initiator and target when mounting a target storage disk using the

Wireshark network protocol analyzer. This testing, and the results obtained are presented in

chapter 8.

5.4 Summary of the test results and their impact on enhancements

In summary, the testing of the existing implementation revealed the following:

1. Ideally a mounted target device should be utilized in the implementation.

2. Mounting the target device with the existing implementation is not possible.

3. When using the sg_dd utility the user must know the size of the file to be transferred and

‘count’ and ‘bs’ values must be specified.

65

Chapter 6

6. Proposed Enhancements

It should be apparent from the discussion of the results from the testing of the EASI scheme that

there are a number of factors that significantly affect the way in which enhancements to the

scheme can be realized.

6.1 Writing/Reading Files of Arbitrary Size

One of the goals of this project was to be able to transfer and store files of arbitrary size, in an

encrypted form onto a target storage device. To determine which enhancements would be

attempted, the first factor to decide was whether files would be written/read to an un-mounted

target, as in the EASI scheme, or to a mounted target storage.

It was clear from testing the EASI scheme that writing/reading files to a mounted target would

require not only changes to the encryption code to enable arbitrary sized files to be transferred,

but would also require changes that would allow the target storage to be mounted. In order to

achieve the latter, it would first be necessary to undertake a detailed study of the commands

utilized for mounting of the target on the initiator. The next step would be to determine whether

the existing iSCSI/SCSI commands would need modification in order to allow differentiation

between commands required to set up the target device and those to transfer user files. This in

itself was considered to be a major task, and although ultimately desirable, laid outside the scope

of the goals originally intended for this project.

66

Having decided not to use a mounted target, the determining factor was modification of the

encryption code to decipher the different packets and commands transferred when using the cp

utility. The main problem requiring resolution in this case was the inability to successfully

recreate the existing implementation. Various attempts had been made to reproduce the

implementation. These included using a more recent Linux kernel and making changes to the

encryption code which had been modified in the EASI scheme. Despite considerable efforts to

achieve this, none proved successful. It became apparent that a more simplistic approach would

have to be taken that would utilize the existing encryption scheme without the need to modify the

kernel code.

Files/Data are stored on disks in blocks. The size of these blocks can be set when the file system

is created. A typical example of block size currently used is 4096 bytes. If a file of size 750 bytes

is created and the block size is 4096 bytes, the file will still consume 4096 bytes on the disk. The

remaining 3346 bytes of the block will be empty.

The sg_dd utility copies blocks of data, and since files are stored in blocks it can be used to

transfer files irrespective of their size. However, when a file is copied, the entire block is copied,

including any empty space within the block, unlike the cp utility which copies only the file data

within the block(s).

It should be apparent from the above that the sg_dd can be used to copy files of arbitrary size but

with the limitation that the entire block containing the file will be copied. Thus, when the sg_dd

utility is used to copy files of arbitrary size, it is only simulating the copy of an arbitrary sized

file.

As stated in Chapter 5, there a number of limitations when transferring a file/user data to a file

that is acting as a target storage device. The target file appears as a special block device. If the

67

‘bs’ value conflicts with that found for the target file, the ‘count’ value cannot be determined and

therefore a value must be entered and consequently, the user must know the size of the file.

In order to simulate the transfer of a file of arbitrary size, it is desirable that the user does not

have to specify the ‘bs’ value or the ‘count’ value. This can be achieved when writing a file to

target storage by:

Changing the default ‘bs’ value in the sg_dd code to 1024

Adding a function to determine the size of the file in bytes. If the returned value is not

block size (1024 bytes) or an integer multiple of block size, the count value must be set to

the next integer multiple of the number of blocks to be written. This value is then used for

constructing the command descriptor blocks, reading the data from the initiator, and

writing to the target.

Determining the size of the file can be achieved in a number of ways, for the purposes of this

project the ‘stat’ utility was used. Testing of the implementation revealed that although using the

‘stat’ utility worked when writing user data to the target storage, a problem was encountered

when reading user data from the target back to the initiator. The problem that arises is that when

the ‘stat’ utility is used on the target storage, it does not return the size of the target storage. This

can be seen in Figure 6-1.

Alternative methods were investigated for determining the size of the target storage. However, it

was found that they returned the size of the entire target storage file rather than the amount of

user data.

68

Figure 6-1: Result of using stat utility on target storage file

Attempts were also made to write a function to read the contents of the target file and determine

the amount of trailing white space and in this way also determine the amount of user data.

However, since the data is stored in an encrypted form on the target storage this proved to be

unsuccessful. In view of the fact that the current form of the target storage has limitations that

would preclude its use in a real world environment, it was decided that to pursue this further

would not be constructive. Consequently, the sg_dd code was modified such that the count value

would not be determined when reading from the target and that the user would be required to

specify a value, as is the case in the existing EASI scheme.

A typical run through on the VMware test bed for writing/reading files to the target using the

code enhanced for transferring files of arbitrary size is presented in Appendix D.

69

6.2 Transferring a File to Two Targets

The existing EASI implementation considered only the transfer of a file to a single target.

However, the ability to transfer to an additional target is increasingly advantageous especially

with the increasing desire/requirement to store/backup data at multiple remote locations. The

transfer of a file to two or more targets is perfectly possible with the existing implementation. It

just requires the user to issue multiple sg_dd commands, for example:

sg_dd if=test_file.txt of=target1_device bs=1024 bpt=1 odir=1 count=1 seek=0 skip=0

sg_dd if=test_file.txt of=target2_device bs=1024 bpt=1 count=1 odir=1 seek=0 skip=0

However, when writing data to multiple targets there are a number of points that need to be

considered, such as:

Is the same key to be used to encrypt the user data?

Are the same keys to be used for the native IPsec communications between the initiator

and targets?

These points are considered in detail below.

6.2.1 Encryption of Payload

For additional security, it may be desirable to utilize different keys to encrypt the user data that is

being transferred to different targets. This would require modifications to the existing EASI

scheme and also the IPsec implementation, as at the present time a single key is hard coded into

the IPsec encryption code. However, since at this stage the project remains a proof-of-concept,

and because of the difficulties encountered in recreating the EASI scheme and thus making

changes to the IPsec implementation, a decision was made to use the same key to encrypt the

payload for all targets.

70

6.2.2 Native IPsec Keys

In view of the fact that the same key is to be used to encrypt the user data for all targets, it was

decided that different IPsec keys should be used for secure communications between the initiator

and targets. This can be achieved manually or automatically in a relatively straightforward

manner. However, since one of the goals of this project is to simplify the implementation, it was

decided to create a user interface that would simplify the creation of the keys and database

entries.

6.2.3 Steps to Transfer a File to Two Targets

The following changes were required to the sg_dd code in order to enable the transfer of a file to

two targets:

Add another command line argument to allow the user to specify a second target device.

Process the command line options to determine whether one or two target devices are

specified.

If a second target is specified, determine the type of device it is.

Determine the number of blocks and the block size of the second target.

Create a second command descriptor block for the second target.

A typical run through on the VMware test bed for writing/reading files to the target using the

code enhanced for transferring files to two targets is presented in Appendix E.

6.3 User Interface

One of the limitations of the existing implementation is that configuring and starting the open-

iscsi and iscsitarget implementations and transferring and retrieving files requires the user to

71

interact with the command line. Although, the target users of the implementation, such as systems

administrators, are likely to have significant computing experience, it is conceivable that they

have little or no experience of the open-iscsi and iscsi-target implementations. Due to the fact that

the commands utilized are not particularly intuitive, it was decided that a user interface should be

developed to simplify the interactions thus making the implementation more user friendly.

As stated above the main users of the Secure ISCSI implementation are likely to have significant

computing experience and as such the user interface should be functional rather than be

ascetically pleasing.

It was decided to develop the user interface in a graphical format using Python. Python is a

powerful open source dynamic programming language. It is relatively easy to learn and is

available for most major operating systems. In addition, it is easy to interact with the operating

system through the use of shell commands. The installation of Python and Tkinter, used to create

the graphical user interface widgets, is presented in Appendix F.

6.3.1 Functionality of User Interface

In order to develop a suitable user interface, it was first necessary to determine what tasks it

should be able to carry out, and its appearance. It was decided that two user interfaces would be

developed: one for the initiator and one for the target. Although it would be possible to develop a

user interface for the basic configuration of the initiator and target, it was decided that since this

would be undertaken only once that for the current project, it would be better to focus on other

tasks. Consequently, the tasks that the user interfaces should be able to carry out are limited to

those listed below.

72

6.3.1.1 Initiator User Interface Tasks

Generate IPsec keys to be used to provide a secure connection between the initiator and

target.

Generate Security Association Database and Security Policy Database entries.

Start the iSCSI initiator program.

Login to target(s).

Transfer user data to the target(s).

Retrieve files from the target.

6.3.1.2 Target User Interface Tasks

Create additional target files.

Configure the ietd.conf file with new targets.

Generate Security Association Database and Security Policy Database entries.

Start/stop the iSCSI target program.

Generating IPsec Keys

In order to transfer files in a secure manner, it is necessary to utilize IPSec. The EASI scheme

utilizes a modified version of IPSec for the secure transfer and storage of files. It incorporates a

hard coded key which is used to encrypt the user payload. However, it is still necessary to

generate IPSec keys that will be used in the Security Association Database (SAD) and the

Security Policy Database (SPD), and also create the SAD and SPD entries. This is carried out

manually in the EASI scheme.

Since Security Associations (SA’s) are unidirectional, keys need to be generated for each

direction. These keys need to be shared with both the initiator and the target. The secure sharing

of these keys is not covered in this project.

73

Generate Security Association Database and Security Policy Database entries

Requires that IPSec keys have already been generated and are available for retrieval and

use.

Requires the user to specify both the initiator and target IP addresses.

Requires interaction with the OS, this is achieved through system commands module of

Python.

Start the open-iscsi initiator program

Requires interaction with OS.

Ideally display to the user the targets discovered, so that user can enter the target id to

login to in the next stage. Also acts as a check that the connection has been made.

Login to the target

Requires the user to specify how many target(s) to login to.

Requires the user to specify the targets to which to connect.

Requires interaction with the OS.

Logout from Target

Requires the user to specify the target(s) to logout from.


Transfer files to the target(s)

User must specify whether they want to transfer a file to one or two targets.

User must specify where they are transferring from and where they are transferring to.

Ideally show confirmation that the transfer(s) has/have been successful.


Retrieve files from the target(s)

74

User must specify where they are transferring from and where they are transferring to.

Ideally show confirmation that the transfer(s) has/have been successful.


Create additional target files

Requires user to specify location, name, and size of target file to be created.


Configure the ietd.conf file with new targets

Requires the user to enter the directory containing the target file, and the name of the

target file.


Start/stop the iscsi target program

Requires user to start/stop the target.

Ideally should have a display to show that target has been started or stopped successfully.

A user manual for the user interface is provided in Appendix G.

Chapter 7

75

7. Performance Results and Analysis

In order to determine the impact on performance of the changes proposed in this project, a variety

of tests were carried out. The results are discussed here. The testing was carried out on the virtual

machine test bed which was created from the images of the physical test bed utilized for the EASI

scheme.

7.1 Testing Regime

The tests were divided into three sections:

1. Writing/Reading files to a target storage device using the original sg_dd code. These tests

were carried out to provide a base line against which the other results could be compared.

2. Writing/Reading files to a target storage device using the modified sg_dd code, during

this project, to allow the transfer of files of arbitrary size.

3. Writing/Reading files using the sg_dd code modified, during this project, to allow the

transfer of files to two target storage devices.

All the tests were repeated for writing/reading using no encryption, IPsec encryption, and finally

EASI encryption. The overall testing regime is shown in Table 7-1. The files and results are

available on the DVD accompanying this report.

76

Transfer Type Without encryption With Native IPSec With EASIBlock size file transfer using original sg_dd code

fileorigNoEncry.txt fileorigIPsec.txt fileorigEASI.txt

Arbitrary size file transfer using modified sg_dd code

filearbNoEncry.txt filearbIPsec.txt filearbEASI.txt

Transfer of files to targets using modified sg_dd code

file2targsNoEncry.txt file2targsIPsec.txt file2targsEASI.txt

Table 7-1: Testing Regime

In these tests, performance was determined based on the time to write/read the files to/from the

target storage device. The times were determined using the standard time utility available in the

Linux distribution. This time utility determines three separate time values:

Real time: The elapsed time from the time of invocation of the command, in this case the

sg_dd command to write/read a file, to the time of termination of the command.

User time: The time used by the program/utility (sg_dd in this case) itself and any library

subroutines and calls.

System time: The time used by the system call invoked by the program (directly or indirectly).

7.2 Anticipated Results

Before examining the actual results obtained from the test, the anticipated results are discussed.

These are then compared to the results actually obtained.

7.2.1 Base Line Tests using the Original sg_dd Code

Base Line No Encryption

In this case, it would be anticipated that the time to write/read would increase as the size of the

file increases. The reason for this is that it would be expected for it to take longer to write/read a

77

larger file and would also require that larger files would require the writes/reads to occur across

multiple packets.

Base Line IPsec

In this case, it would be expected that similar behavior to that described above would be seen.

However, because the payloads in each packet used for writing/reading will be encrypted when

being sent out and decrypted when received, it is likely that the transfer times would be higher

than those seen when no encryption is used.

Base Line EASI

In this case, it would again be anticipated that similar behavior to the non-encrypted transfer

would be seen. However, since the EASI scheme encrypts not only the packets containing the file

which is to be transferred but also encrypts the user file within the packet. Thus, the transfer times

would be expected to be higher than not only the non encrypted transfers, but also higher than the

IPsec transfers.

7.2.2 Tests using the sg_dd code modified for arbitrary sized files

In these tests, files of arbitrary size are transferred. It was decided that the files should be less

than their block size equivalents. The changes to the sg_dd code result in size of the file to be

written to the target storage being calculated. The value obtained is then used to calculate and set

the appropriate ‘count’ value. In view of this extra processing that is carried out, it is expected

that in all cases (no encryption, IPsec and EASI) the transfer times may be slightly higher than

the base line values. However, there should still be a trend of increasing transfer times from no

encryption to IPsec to EASI.

78

7.2.3 Testing using sg_dd code modified for two target storage devices

In these tests, block size files are written to two target storage devices. When reading back to the

initiator, the file is read from only one target. Since the file is written to two targets, this involves

additional processing. As a result, it is anticipated that in all cases (no encryption, IPsec and

EASI) the transfer times will be approximately double the time for the base line values. It is

expected that the general trend of increasing transfer times from no encryption to IPsec to EASI

will hold.

7.3 Actual Results

As stated above, when tests were carried out to transfer files of arbitrary size, it was decided that

the files should be less than their block size equivalents. The sizes of the block sized and arbitrary

sized files used are shown in Table 7-2. The speed of the connection used for the transfers was

100Mbps.

Size of File in KB Size of Block File in bytes Size of Arbitrary File in bytes

1K 1024 75010K 10240 9966100K 102400 1021261MB 1048576 104830210MB 10485760 10485486100MB 104857600 104857326Table 7-2: Sizes of various files used during testing

The complete results, for the combined times (write + read) obtained for all of the tests are shown

in Tables 7-3 to 7-8. In the tables, ‘Write’ indicates the transfer of the file from the initiator to the

target and ‘Read’ represents the transfer of a file from the target to the initiator.

79

Write + Read Times with No Encryption sg_dd Original sg_dd arbitrary sg_dd 2 TargetsRun Real User System Real User System Real User System

1 0.03 0 0 0.01 0 0 0.06 0 0.012 0.01 0 0 0.01 0 0 0.06 0 0.023 0.04 0 0 0.03 0 0.01 0.05 0 0.024 0.03 0 0.01 0.02 0 0 0.05 0 0.025 0.02 0 0.01 0.01 0 0 0.04 0 0.026 0.03 0 0 0.02 0 0.01 0.05 0 0.027 0.02 0 0.01 0.01 0 0.01 0.02 0 08 0.05 0 0 0 0 0 0.05 0 0.029 0.01 0 0 0.02 0 0 0.05 0 0.01

10 0.01 0 0 0.03 0 0.02 0.04 0 0.02 Averages 0.025 0 0.003 0.016 0 0.005 0.047 0.000 0.016 Write + Read Times with IPsec sg_dd Original sg_dd arbitrary sg_dd 2 TargetsRun Real User System Real User System Real User System

1 0.03 0 0 0.02 0 0 0.05 0 0.022 0.02 0 0 0.02 0 0 0.03 0 03 0.02 0 0 0.01 0 0 0.03 0 0.014 0.03 0 0 0.01 0 0 0.03 0 0.015 0.02 0 0 0.02 0 0.02 0.05 0 0.016 0.02 0 0 0.02 0 0 0.05 0 07 0.02 0 0 0.02 0 0 0.04 0 0.018 0.02 0 0 0.02 0 0 0.03 0 09 0.02 0 0 0.01 0 0 0.04 0 0.01

10 0.02 0 0 0.02 0 0 0.04 0 0.02 Averages 0.022 0 0 0.017 0 0.002 0.039 0 0.009 Write + Read Times with EASI sg_dd Original sg_dd arbitrary sg_dd 2 TargetsRun Real User System Real User System Real User System

1 0.05 0 0 0.03 0 0.01 0.04 0 0.022 0.02 0 0 0.02 0 0.01 0.02 0 0.013 0.02 0 0 0.02 0 0.01 0.04 0 0.024 0.02 0 0 0.02 0 0.01 0.02 0 05 0.03 0 0.01 0.03 0 0.02 0.05 0 0.026 0.02 0 0 0.03 0 0.01 0.02 0 07 0.03 0 0 0.02 0 0.02 0.04 0 0.018 0.02 0 0 0.03 0 0.02 0.03 0 0.019 0.02 0 0 0.02 0 0 0.02 0 0.01

10 0.04 0 0.01 0.03 0 0 0.03 0 0 Averages 0.027 0.000 0.002 0.025 0 0.011 0.031 0 0.01

Table 7-3: Combined Write/Read Times for 1K and 750 byte files

80


1 0.12 0 0.02 0.01 0 0.01 0.27 0 0.032 0.06 0 0.01 0.01 0 0.02 0.25 0 0.043 0.1 0 0.02 0 0 0.02 0.22 0 0.044 0.06 0 0.01 0.01 0 0.02 0.21 0 0.035 0.05 0 0.02 0 0 0.02 0.26 0 0.036 0.07 0 0.02 0 0 0.02 0.28 0 0.037 0.07 0 0.01 0 0 0.02 0.25 0 0.038 0.1 0 0.03 0 0 0.02 0.3 0 0.039 0.11 0 0.02 0.003 0 0.02 0.18 0 0.02

10 0.14 0 0.03 0 0 0.01 0.21 0 0.04 Averages 0.088 0 0.019 0.0033 0 0.018 0.243 0 0.032 Write + Read Times with IPsec sg_dd Original sg_dd arbitrary sg_dd 2 TargetsRun Real User System Real User System Real User System

1 0.13 0 0.02 0.1 0 0.02 0.23 0 0.052 0.06 0 0.02 0.09 0 0.02 0.25 0 0.043 0.08 0 0.02 0.15 0 0.02 0.22 0 0.034 0.15 0 0.02 0.09 0 0.01 0.19 0 0.045 0.08 0 0.01 0.09 0 0.02 0.22 0 0.036 0.17 0 0.03 0.13 0 0.02 0.32 0 0.047 0.08 0 0.02 0.1 0 0.01 0.21 0 0.038 0.08 0 0.01 0.09 0 0.01 0.26 0 0.049 0.05 0 0.03 0.11 0 0.03 0.12 0 0.03

10 0.1 0 0.01 0.07 0 0.01 0.31 0 0.04 Averages 0.098 0 0.019 0.102 0 0.017 0.233 0 0.037 Write + Read Times with EASI sg_dd Original sg_dd arbitrary sg_dd 2 TargetsRun Real User System Real User System Real User System

1 0.08 0 0.02 0.16 0 0.04 0.21 0 0.042 0.07 0 0.03 0.13 0 0.02 0.16 0 0.033 0.13 0 0.03 0.13 0 0.03 0.24 0 0.044 0.13 0 0.04 0.23 0 0.03 0.2 0 0.025 0.08 0 0.04 0.14 0 0.03 0.15 0 0.036 0.08 0 0.04 0.14 0 0.04 0.24 0 0.037 0.12 0 0.03 0.08 0 0.04 0.14 0 0.038 0.13 0 0.02 0.06 0 0.04 0.2 0 0.049 0.07 0 0.02 0.1 0 0.03 0.25 0 0.04

10 0.11 0 0.03 0.15 0 0.04 0.19 0 0.04 Averages 0.1 0 0.03 0.132 0 0.034 0.198 0 0.034


81


1 0.68 0 0.14 0.69 0 0.15 1.75 0 0.282 0.87 0 0.2 0.74 0 0.18 1.74 0 0.253 0.75 0 0.12 0.52 0 0.19 1.51 0 0.234 0.57 0 0.12 0.59 0 0.15 1.69 0 0.215 0.67 0 0.2 0.57 0 0.11 1.47 0 0.236 0.59 0 0.18 0.61 0 0.14 1.72 0 0.237 0.68 0 0.14 0.61 0 0.11 1.75 0 0.218 0.56 0 0.2 0.51 0 0.08 1.63 0 0.249 0.63 0 0.12 0.72 0 0.13 1.51 0 0.27

10 0.64 0 0.17 0.61 0 0.12 1.55 0 0.27 Averages 0.664 0 0.159 0.617 0 0.136 1.632 0 0.242 Write + Read Times with IPsec sg_dd Original sg_dd arbitrary sg_dd 2 TargetsRun Real User System Real User System Real User System

1 0.88 0 0.15 1.11 0 0.21 1.49 0 0.312 0.89 0 0.19 0.75 0 0.11 1.4 0 0.223 0.66 0 0.14 0.73 0 0.14 1.49 0 0.254 0.71 0 0.12 0.78 0 0.2 1.54 0 0.215 0.77 0 0.22 0.78 0 0.21 0.98 0 0.186 0.8 0 0.13 0.71 0 0.26 1.27 0 0.217 0.72 0 0.21 0.69 0 0.18 1.47 0 0.238 0.83 0 0.16 0.73 0 0.19 1.53 0 0.229 0.83 0 0.27 0.9 0 0.25 1.28 0 0.2


1 0.78 0 0.15 0.85 0 0.27 1.18 0 0.232 1.01 0 0.28 1 0 0.26 1.08 0 0.223 0.93 0 0.15 0.96 0 0.22 1 0 0.234 0.73 0 0.17 0.86 0 0.25 1.05 0 0.25 0.69 0 0.14 0.86 0 0.21 1.01 0 0.236 0.74 0 0.11 0.87 0 0.26 0.93 0 0.247 0.74 0 0.29 0.8 0 0.27 1.21 0 0.28 0.6 0 0.23 0.86 0 0.25 1.01 0 0.179 0.69 0 0.13 0.9 0 0.26 1.38 0 0.22

10 0.75 0 0.22 1.15 0 0.21 1.06 0 0.15 Averages 0.766 0.000 0.187 0.911 0 0.246 1.091 0 0.209


82


1 4.66 0 0.81 4.17 0 0.82 16.14 0 2.782 4.75 0 0.8 3.96 0 0.79 15.79 0 2.83 4.51 0 0.69 4.03 0 0.7 15.68 0 2.94 4.32 0 0.75 4.17 0 0.69 12.5 0 1.685 4.49 0 0.74 3.85 0 0.6 9.04 0 1.216 4.57 0 0.77 3.94 0 0.68 9.43 0 1.147 4.52 0 0.72 4.05 0 0.72 9.12 0 1.38 4.59 0 0.73 3.96 0 0.5 9.26 0 1.429 4.43 0 0.83 4.25 0 0.73 9.34 0 1.19

10 4.6 0 0.78 3.95 0 0.62 9.48 0 1.31 Averages 4.544 0 0.762 4.033 0 0.685 11.578 0 1.773 Write + Read Times with IPsec sg_dd Original sg_dd arbitrary sg_dd 2 TargetsRun Real User System Real User System Real User System

1 5.5 0 0.95 5.4 0 1.03 11.27 0 2.142 5.23 0 0.96 4.88 0 0.94 10.38 0 1.763 5.22 0 0.85 4.89 0 1.14 10.59 0 1.764 5.27 0 1.05 4.72 0 0.99 10.93 0 1.845 5.61 0 1.02 4.91 0 1.03 10.72 0 1.886 5.38 0 1.04 5.15 0 1.13 10.22 0 1.837 5.29 0 0.85 4.91 0 0.83 11.05 0 1.778 5.26 0 0.97 4.77 0 0.96 10.77 0 1.929 5.26 0 0.96 4.76 0 1.05 10.86 0 1.76


1 5.08 0 1.43 5.82 0 1.18 8.71 0 1.392 5.17 0 1.21 4.31 0 1.01 8.38 0 1.63 5 0 1.37 4.19 0 0.93 8.69 0 1.484 5.29 0 1.55 4.32 0 0.81 8.54 0 1.565 5 0 1.22 4.68 0 1.06 8.51 0 1.386 5.21 0 1.34 4.27 0 0.76 9 0 1.657 4.99 0 1.28 4.33 0 0.93 8.47 0 1.578 5.32 0 1.3 4.27 0 0.92 8.48 0 1.369 5.22 0 1.55 4.27 0 0.86 8.81 0 1.47

10 5.16 0 1.32 4.5 0 1.12 8.49 0 1.54 Averages 5.144 0.000 1.357 4.496 0 0.958 8.608 0 1.5

Table 7-6: Combined Write/Read Times for 1MB and 1048302 byte files

83


1 44.91 0 7.29 43.93 0.01 6.58 92.4 0.03 12.542 45.65 0 7.47 40.04 0.01 6.36 91.48 0.02 133 46.11 0.01 7.92 40.05 0 6.36 89.65 0.02 12.714 46.56 0 7.45 40.43 0 6.32 87.04 0.02 12.965 47.23 0.01 7.65 40.82 0 6.5 77.15 0.02 12.356 47.37 0.01 7.75 41.97 0.01 6.65 72.73 0.03 12.767 48.61 0.01 7.67 42.12 0.01 7.14 72.57 0.01 12.628 48.35 0 7.43 42.33 0.01 7.04 73.4 0.01 12.539 48.93 0.01 7.71 43.33 0.01 6.45 74.14 0.02 12.56

10 49.2 0 7.62 44.01 0.01 6.54 74.86 0.02 12.15 Averages 47.292 0.005 7.596 41.903 0.007 6.594 80.542 0.02 12.618 Write + Read Times with IPsec sg_dd Original sg_dd arbitrary sg_dd 2 TargetsRun Real User System Real User System Real User System

1 53.9 0 9.61 55.02 0.02 10.87 117.74 0.03 20.712 54.36 0.01 10.36 49.48 0.01 9.71 108.97 0.02 18.233 53.97 0 9.73 50.16 0.01 9.55 110.02 0.03 18.574 54.44 0 9.74 50.16 0.01 9.97 110.73 0.03 18.625 53.22 0.01 10.45 50.93 0.01 9.73 110.56 0.03 18.76 52.54 0.01 9.77 51.23 0 9.87 109.18 0.03 18.697 51.23 0.01 9.94 52.72 0 10.2 104.18 0.01 18.048 47.94 0 9.96 52.25 0.01 9.47 91.02 0.01 18.119 42.65 0.01 9.75 53.19 0.01 10.63 85.57 0.02 18.04

10 42.26 0.01 10.28 52.91 0 9.54 86.39 0.01 17.48 Averages 50.651 0.006 9.959 51.805 0.008 9.954 103.436 0.022 18.519 Write + Read Times with EASI sg_dd Original sg_dd arbitrary sg_dd 2 TargetsRun Real User System Real User System Real User System

1 55.93 0 10.25 46.83 0.01 9.36 89.78 0.02 16.932 56.07 0.01 10.84 43.12 0.01 8.86 87.39 0.02 16.063 55.53 0 11.35 43.44 0.01 9.44 89.08 0.02 16.044 54.3 0.01 11.01 43.91 0.01 9.15 91.46 0.02 16.095 52.87 0.01 10.52 43.8 0.01 9.34 94.23 0.01 16.16 49.41 0.01 10.19 44.46 0 8.84 97.19 0.03 16.367 44.07 0.01 10.38 45.26 0 9.49 98.56 0.02 16.178 43.21 0 10.09 45.22 0.01 8.98 101.12 0.02 16.079 43.48 0.01 10.59 46.19 0.01 8.97 103.68 0.02 16.46

10 43.53 0 10.52 45.58 0 8.96 104.16 0.03 16.14 Averages 49.840 0.006 10.574 44.781 0.007 9.139 95.665 0.021 16.242


84

Write + Read Times with No Encryption

85

sg_dd Original sg_dd arbitrary sg_dd 2 Targets

Run Real User System Real UserSystem Real User System

1 477.52 0.08 76.28 510.53 0.18 71.28 829.99 0.28 126.152 386.25 0.09 73.99 479.09 0.14 69.69 843.02 0.24 127.823 407.47 0.08 74.58 385.75 0.1 67.86 882.75 0.31 1354 460.95 0.09 76.98 399.97 0.13 67.45 1209.94 0.4 158.315 488.02 0.09 76.09 442.19 0.09 66.98 874.01 0.28 128.496 397.61 0.1 75.64 481.7 0.12 70.79 856.18 0.25 127.817 400.63 0.09 76.49 453.24 0.14 69.86 839.05 0.25 127.938 445.9 0.1 73.99 387.59 0.14 68.61 881.88 0.23 128.029 489.64 0.11 77.93 416.8 0.13 67.75 815.08 0.26 127.16

10 413.99 0.11 75.67 489.61 0.14 69.53 909.21 0.26 128.72 Averages 436.798

0.094 75.764 444.647

0.131 68.98 894.111

0.276 131.541

Write + Read Times with IPsec sg_dd Original sg_dd arbitrary sg_dd 2 Targets


1 427.07 0.1 100.95 531.17 0.16 99.18 1063.47 0.33 193.762 465.13 0.13 100.23 423.24 0.15 94.94 1006.67 0.29 179.233 529.47 0.11 103.48 451.64 0.14 96.98 1025.16 0.31 179.614 470.19 0.09 101.43 509.78 0.15 98.7 927.48 0.31 175.015 431.2 0.11 97.89 523.76 0.12 96.68 1028.46 0.3 176.16 501.96 0.12 96.92 425.41 0.15 94.37 904.8 0.28 168.037 533.07 0.11 100.8 446.88 0.14 96.45 1013.99 0.29 166.158 437.74 0.1 100.19 503.88 0.17 97.02 865.3 0.3 163.089 431.36 0.09 91.42 528.01 0.12 98.16 1012 0.27 162.84

10 485.83 0.1 91.57 432.96 0.14 96.88 878.44 0.31 165.45 Averages 471.302

0.106 98.488 477.673

0.144 96.936 972.577

0.299 172.926

Write + Read Times with EASI sg_dd Original sg_dd arbitrary sg_dd 2 Targets


1 440.48 0.12 104.16 555.75 0.17 99.12 937.83 0.27 167.792 491.03 0.12 106.5 540.69 0.16 94.04 973.37 0.27 163.183 564.72 0.13 113.42 435.33 0.12 92.09 915.01 0.26 1614 452.04 0.11 102.46 445.59 0.13 91.94 989.46 0.29 161.735 452.19 0.09 104.87 503.39 0.11 93.5 879.71 0.25 158.16 518.46 0.11 105.5 541.35 0.14 95.35 979.43 0.28 160.277 535.34 0.11 106.37 438.33 0.12 91.05 879.26 0.24 158.828 432.81 0.11 103.05 442.62 0.11 90.76 994.46 0.27 162.299 466.23 0.13 102.41 498.66 0.13 91.1 876.37 0.28 157.17

10 536.65 0.12 104.36 537.96 0.13 91.45 985.29 0.25 159.65 Averages 488.995

0.115 105.310 493.967

0.132 93.04 941.019

0.266 161


86

7.3.1 Analysis of the Results from the Base Line Tests

Figures 7-1 through 7-3 show the average time results obtained for the base line tests described

previously in this chapter.

In Figure 7-1, the average values obtained for the times when writing/reading files using the

original sg_dd code and no encryption are presented. For both the real and system times, an

increase in the values is observed as the size of the file is increased. Similar behavior is seen with

the user time for the 10MB and 100MB files, while for the other files zero time values were

recorded.

Figure 7-2 shows the average time values obtained when writing/reading files using the original

sg_dd code with IPsec encryption used. Examination of the results revealed similar behavior to

that described when no encryption is used. However, when comparing Figures 7-1 and 7-2, it can

be seen that in all cases the time values are higher than those seen when no encryption is used.

In Figure 7-3, the average time values obtained when writing/reading files using the original

sg_dd code with EASI encryption are presented. Again, similar behavior to that observed in the

previous two tests was observed, with times increasing as the file size increased. When compared

to Figures 7-1 and 7-2, it can be seen that the values for the times are higher.

87

1K 10K 100K 1MB 10MB 100MB1.000

10.000

100.000

1000.000

RealUserSystem

File Size

Tim

e (s

econ

ds)

Figure 7-1: sg_dd Original No Encryption

1K 10K 100K 1MB 10MB 100MB1.000

10.000

100.000

1000.000

RealUserSystem

File Size

Tim

e (s

econ

ds)

Figure 7-2: sg_dd Original IPsec

88

1K 10K 100K 1MB 10MB 100MB1.000

10.000

100.000

1000.000

RealUserSystem

File Size

Tim

e (s

econ

ds)

Figure 7-3: sg_dd Original EASI

7.3.2 Analysis of the Results from the Tests using the sg_dd Arbitrary Code

Figures 7-4 to 7-6 show the average time results obtained for files of arbitrary size. Comparison

of the data in these graphs reveals similar trends to those seen with the base line results. As the

file sizes increase, so do the times for writing/reading.

When comparing the values obtained when no encryption was used to those when native IPsec

was used, it was found that the times for writing/reading were slightly higher when IPsec was

employed, except for the 1K- and 10K- files.

Comparing the times when using native IPsec and EASI, it was found that the times were slightly

higher when using EASI, except for the 1MB-, 10MB- and 100MB- files.

89

1K- 10K- 100K- 1MB- 10MB- 100MB-1

10

100

1000

RealUserSystem

File Size

Tim

e (s

econ

ds)

Figure 7-4: sg_dd Arbitrary No Encryption

1K- 10K- 100K- 1MB- 10MB- 100MB-1.000

10.000

100.000

1000.000

RealUserSystem

Figure 7-5: sg_dd Arbitrary IPsec

90

1K- 10K- 100K- 1MB- 10MB- 100MB-1

10

100

1000

RealUserSystem

File Size

Tim

e (s

econ

ds)

Figure 7-6: sg_dd Arbitrary EASI

7.3.2.1 sg_dd Original vs sg_dd arbitrary

Figures 7-7 to 7-9 show the real, user, and system times for writes/reads using the original sg_dd

code and arbitrary sg_dd without encryption, using IPsec and EASI respectively.

When comparing the real time values obtained in Figures 7-7 to 7-9, it was found that in all cases

the time values recorded were higher when using the code which had been modified to simulate

the transfer of arbitrary sized files. No significant differences between the values were noted in

when using IPsec or EASI.

Examination of the system values revealed that when no encryption was used the times recorded

for the original code were slightly higher than for the code modified to simulate the transfer of

arbitrary sized files, with the exception of the 1K file. In the cases where IPsec and EASI were

used, the times recorded were greater than when using no encryption, but a definitive trend could

be identified between IPsec and EASI.

91

In the case of the user times, in all cases the values recorded were higher when using the code

modified for simulating the transfer of arbitrary files. Since only two values were available, it was

not possible to determine a definitive trend when using no encryption, IPsec, or EASI.

1E+02. 1E+03. 1E+04. 1E+05. 1E+06. 1E+07. 1E+08. 1E+09.0.001

0.010

0.100

1.000

10.000

100.000

1000.000

0.005

0.018

0.136

0.685

6.594

68.980

0.003

0.019

0.159

0.762

7.596

75.764

0.00700000000000001

0.131

0.00500000000000001

0.094

0.016

0.087

0.617000000000007

4.033

41.903

444.647000000002

0.025

0.088

0.664

4.544

47.292

436.798

orig real arb real orig user arb user orig system arb system

File Size (bytes)

Tim

e (s

econ

ds)

Figure 7-7: Comparison of time values for the original and arbitrary sg_dd code without encryption

92

1E+02. 1E+03. 1E+04. 1E+05. 1E+06. 1E+07. 1E+08. 1E+09.0.001

0.010

0.100

1.000

10.000

100.000

1000.000

0.00200000000000001

0.017

0.191

1.00499999999998

9.954

96.936

0.019

0.179

0.961

9.959

98.488

0.00800000000000002

0.144

0.00600000000000001

0.106

0.017

0.102

0.806

4.925

51.805

477.673

0.022

0.098

0.808

5.381

50.651

471.302

orig real arb real orig user arb user orig system arb system

File Size (bytes)

Tim

e (s

econ

ds)

Figure 7-8: Comparison of time values for the original and arbitrary sg_dd code with IPsec

1E+02. 1E+03. 1E+04. 1E+05. 1E+06. 1E+07. 1E+08. 1E+09.0.001

0.010

0.100

1.000

10.000

100.000

1000.000

0.0110.034

0.246

0.958

9.139

93.040

0.002

0.030

0.187

1.357

10.574

105.310

0.00700000000000001

0.132

0.00600000000000001

0.115

0.025

0.132

0.911

4.496

44.781

493.966999999997

0.027

0.100

0.766

5.144

49.840

488.995

orig real arb Real orig user arb user orig system arb system

File Size (bytes)

Tim

e (s

econ

ds)

Figure 7-9: Comparison of time values for the original and arbitrary sg_dd code with EASI

93

7.3.3 Analysis of the Results from Tests using the sg_dd Two Targets Code

Figures 7-10 to 712 show the average time results obtained when writing/reading files to/from

two targets. Comparison of the data in these graphs revealed similar trends to those seen with the

base line results. As the file sizes increased, so did the times for writing/reading. The write/read

times also increased with the use of IPsec encryption and EASI encryption. It was noted that in

comparison to the original sg_dd code, the times taken to write/read the files approximately

doubled. This was expected since the base line test were for writing/reading to/from one target.

1K 10K 100K 1MB 10MB 100MB1.000

10.000

100.000

1000.000

RealUserSystem

File Size

Tim

e (s

econ

ds)

Figure 7-10: sg_dd Two Targets No Encryption

94

1K 10K 100K 1MB 10MB 100MB1.000

10.000

100.000

1000.000

RealUserSystem

File Size

Tim

e (s

econ

ds)

Figure 7-11: sg_dd Two Targets IPsec

1K 10K 100K 1MB 10MB 100MB1.000

10.000

100.000

1000.000

RealUserSystem

File Size

Tim

e (s

econ

ds)

Figure 7-12: sg_dd Two Targets EASI

95

7.3.3.1 sg_dd Original vs sg_dd Two Targets

Figures 7-13 to 7-15 compare the real, user, and system times for writes/reads using the sg_dd

code modified for transfer to two targets, and the original sg_dd code without encryption, using

IPsec and EASI respectively. It should be noted that the values obtained from the base line tests

using the sg_dd original code were doubled in order to provide a true comparison.

When comparing the real time values obtained in Figures 7-13 to 7-15, it was found that in the

majority of cases, the times recorded were slightly greater when using the code modified for

transferring to two targets.

In the case of the system times, the contrary was found to be true. The majority of the time values

were slightly lower when using the code modified for transferring to two targets. In the cases of

the real and system times, the differences between the times resulting from the use of the two

different sg_dd codes, did not appear to be very significant. However, when examining the user

times, all values recorded for the modified code were higher than the original code. In addition,

there appeared to be a general trend of decreasing time differences between the values as

encryption was applied, with the least differences noted with the times using the EASI scheme.

That being said, in each case only two pairs of non-zero values were obtained, so this trend

cannot be confirmed or refuted.

96

1E+02. 1E+03. 1E+04. 1E+05. 1E+06. 1E+07. 1E+08. 1E+09.0.001

0.010

0.100

1.000

10.000

100.000

1000.000

0.0160.032

0.242

1.773

12.618

131.541

0.006

0.038

0.318

1.524

15.192

151.528

0.02

0.276

0.01

0.188

0.047

0.243

1.632

11.578

80.542

894.111

0.0500.176

1.328

9.088

94.584

873.596

orig real 2 targets real orig user2 targets user orig system 2 targets system

File Size (bytes)

Tim

e (s

econ

ds)

Figure 7-13: Comparison of times values for the original and two target sg_dd codes with no encryption

1E+02. 1E+03. 1E+04. 1E+05. 1E+06. 1E+07. 1E+08. 1E+09.0.001

0.010

0.100

1.000

10.000

100.000

1000.000

0.009

0.037

0.229

1.828

18.519

172.926

0.038

0.358

1.922

19.918

196.976

0.022

0.299

0.012

0.212

0.039

0.233

1.376

10.810

103.436

972.577

0.044

0.196

1.616

10.762

101.302

942.604

orig real 2 targets real orig user 2 targets user orig system 2 targets system

File Size (bytes)

Tim

e (s

econ

ds)

Figure 7-14: Comparison of times values for the original and two target sg_dd code with IPsec

97

1E+02. 1E+03. 1E+04. 1E+05. 1E+06. 1E+07. 1E+08. 1E+09.0.001

0.010

0.100

1.000

10.000

100.000

1000.000

0.004

0.062

0.374

2.204

21.148

210.620

0.0100.034

0.209

1.500

16.242

161.000

0.021

0.266

0.012

0.23

0.031

0.198

1.091

8.608

95.665

941.019

0.054

0.284

1.532

11.360

99.680

977.990

orig real 2 targets real orig user2 targets user 2 targets system orig system

File Size (bytes)

Tim

e (s

econ

ds)

Figure 7-15: Comparison of times values for the original and two target sg_dd code with EASI

7.4 Summary of Results

The actual results obtained in general confirm the anticipated results with a few

exceptions. These exceptions may be the result of the relatively small sample size used

for the tests. However, it does not appear that the changes to the code for either the files

of arbitrary size or for the transfer of files to two targets have a significantly detrimental

effect on the overall performance.

98

Chapter 8

8. Additional Research

The results obtained from testing the EASI implementation (chapter 5) revealed a number of

limitations. One of the most significant was the inability to use the implementation with a

mounted target storage disk. In his thesis, Mr. Andukuri briefly mentioned that during the early

stages of his work he “attempted make the target disk accessible to the initiator by using the

‘mount’ command to mount the target iSCSI disk at a mount point on the initiator” [1-11].

However, he stated that the mount command resulted in “a counter-intuitive sequence of iSCSI

packets” [1-11]. As a result, he chose to use a regular file on the target machine as a storage

medium.

The ability to mount a target iSCSI disk on an initiator is highly desirable in a real-world

environment. It would also assist in using the cp command for files of arbitrary size. In order to

more fully understand the problems and proposed potential solutions, it was decided to examine

the network protocol analyzer log obtained when the mount command is issued. Since it is known

that both the iSCSI ‘Discovery’ and ‘Login’ processes are successful with the EASI scheme, it

was decided to obtain network protocol analyzer logs for these tasks for comparison purposes.

8.1 New Virtual Machine Test Bed

One of the things noted when testing the EASI implementation was that significantly updated

versions of the Linux kernel, open-iscsi and iscsi-target software were available. Since any future

developments on this project should take advantage of such updates, it was decided to create a

new test bed with more recent versions of the Linux kernel, initiator and target software. This test

bed was then used for producing the various network protocol analyzer logs.

99

The new test bed was created on a VMware Server using Fedora 8 with the Linux kernel

2.6.23.17. The initiator and target were implemented using the Open-iscsi-2.0.869.2 and

iscsitarget-0.4.16. The installation and operation of Open-iscsi-2.0.869.2 and iscsitarget-0.4.16

software are presented in Appendix H and I respectively. An additional hard disk was added to

the target machine to act as the target storage.

Once the test bed had been created, attempts were made to update the EASI scheme for use with

the new kernel code. However, since the kernel code had undergone significant changes, this was

not a straight forward task. In view of the fact that this had not been intended as the main focus of

the project, attempts at the modification ceased and it is proposed as future work.

8.2 Network Protocol Analyzer Logs

Figures 8-1 to 8-5 show the various logs obtained during the testing. The full log files are

available on the DVD accompanying this report. Examination of the logs was simplified by the

fact that the EASI scheme only encrypts/decrypts a packet if it is identified as an iSCSI packet

and carries a user payload. If these two criteria are not met then the packet is processed using the

native IPsec scheme. Thus, when attempting to determine processes that may be influenced by

the EASI scheme, it is only necessary to look for packets containing iSCSI ‘Writes’ and ‘Reads’

with associated user payload.

8.2.1 Discovery Process

Figure 8-1 shows the log obtained during the iSCSI ‘Discovery’ process. Examination of this log

revealed that only iSCSI commands were issued. The commands were ‘Login’, ‘Login

Response’, ‘Text Command’ and ‘Text Response’. Therefore, none of these commands would be

affected by the EASI scheme. This was anticipated, since when using the EASI scheme, no

difficulties were encountered when carrying out the Discovery process.

100

Figure 8-1: Wireshark Log obtained during the Discovery Session

8.2.2 Login Process

The log obtained during the iSCSI ‘Login’ session is shown in Figure 8-2. When examining this

log, it was noted that considerably more packets were transferred than when carrying out the

Discovery process. Examination of the log revealed that along with iSCSI ‘Login’ and ‘Login

Response’ commands, a variety of iSCSI/SCSI commands were issued. These included ‘Inquiry’,

‘Test Unit Ready’, ‘Response’, ‘Read Capacity’, ‘Mode Sense’, ‘Report Lun’, Data-in PDU and

‘Read’.

101

The presence of the iSCSI/SCSI ‘Read’ command containing packets followed by plain vanilla

TCP packets, followed by iSCSI/SCSI Data-in PDUs would on initial examination suggest that

the packets may be processed by the EASI implementation. However, examination of the TCP

header in the plain vanilla TCP packets revealed that the ‘push’ (PSH) flag was not set. As has

already been stated in this report, the EASI scheme utilizes the setting of PSH flag to identify

TCP packets containing user data following iSCSI/SCSI ‘Read’ commands. In view of this, it

would appear that although an iSCSI/SCSI ‘Read’ occurs during the login process, the non-

setting of the PSH flag would suggest that the packet does not undergo processing with the EASI

scheme. Hence, login is successful with the EASI scheme.

Figure 8-2: Wireshark Log obtained during the Login Session

102

8.2.3 Mounting the Target Storage Device File System on the Initiator

Figure 8-3 shows the log obtained when mounting the target storage device on the initiator. The

packets transmitted were iSCSI/SCSI ‘Reads’, plain vanilla TCP packets and their associated

iSCSI/SCSI Data-in PDUs. These were followed by an iSCSI/SCSI ‘Write’, ‘Ready to Transfer’

command, iSCSI/SCSI Data-out PDUs and an iSCSI/SCSI ‘Response’. The final packets in the

log are an iSCSI/SCSI ‘Read’, plain vanilla TCP packets and an iSCSI/SCSI Data-in PDU.

Examination of the TCP header in the TCP packets following the iSCSI/SCSI ‘Read’ packets

revealed that the ‘push’ (PSH) flag was not set. Some of the TCP packets contained what

appeared to be spurious data as did some of the iSCSI/SCSI Data-in PDUs.

One packet of particular interest is packet number 137. The data segment of this packet contained

the names of the files and directories on the target storage device. This can be seen in Figure 8-3.

It should be noted that even with this packet the PSH flag was not set in the TCP header. In view

of the fact that the PSH flag is not set in any of the TCP packets associated with iSCSI/SCSI

‘Reads’, Therefore, it would seem that these packets would not undergo processing by the EASI

scheme.

When examining the Data-out PDUs following the iSCSI/SCSI ‘Write’ packets, it was found that

they contained spurious data. It could be expected that they would be processed by the EASI

scheme leading to encryption of the data when this is not what is required when mounting the

target storage media.

In order to understand why iSCSI/SCSI ‘Writes’ and ‘Reads’ occur, it is necessary to consider

what happens when a mount command is issued. The ‘mount’ command used to mount a target

storage disk to the initiator is a file system level operation which is handled by the Virtual File

System (VFS) in kernel space. When the user issues a ‘mount’ command, amongst other things,

103

the kernel reads the file system information from the partition and sets up file system descriptors.

In the case of mounting a storage device resident on the target machine, read and write commands

may be called by functions invoked by the mount command. Since the iSCSI connection is the

only connection between the initiator and target, these commands can result in iSCSI/SCSI

packets being constructed and exchanged between initiator and target. Hence the appearance of

iSCSI/SCSI ‘Writes’ and ‘Reads’ and their associated Data-in and Data-out PDUs in the mount

log file.

More information about the system calls issued when using the mount command can be obtained

by using ‘strace’. strace was run when mounting the target storage device to the initiator. The file

obtained (mount.txt) is available on the DVD accompanying this report. Examination of the file

revealed that many system calls are made when the ‘mount’ command is issued and that some of

these may well be routed through the iSCSI layer resulting in the production of iSCSI/SCSI

‘Reads’, ‘Writes’ etc.

104

Figure 8-3: Wireshark Log obtained during Mounting the Target Storage Device File System on the Initiator

8.3 Writing to Mounted Target Storage using cp

The log obtained when writing a file to a mounted target storage disk using the cp command is

shown in Figure 8-4. Examination of the log revealed that three iSCSI/SCSI ‘Write’s’ occurred

and with each of these were associated a number of Data-out PDUs. Table 8-1 provides a

breakdown of the contents of the Data-out PDUs for each of the ‘Writes’. Examination of the

various PDUs revealed some interesting information. It was found that on some occasions the

105

SCSI payload contained a ‘Data’ field as can be seen in Figure 8-5. The reason for the

appearance of this is not known and requires further investigation.

As was the case with the mount command, the cp command results in a system call being placed

to the kernel, when this is processed by the kernel a number of other system calls can be invoked.

This was found to be the case when strace was used when executing the cp command to write a

file to the target storage disk.

Figure 8-4: Writing to mounted target storage using cp

106

Packet Numbers from 1st iSCSI/SCSI Write

Data-out PDUs

Packet Numbers from 2nd

iSCSI/SCSI Write Data-out PDUs

Packet Numbers from 3rd

iSCSI/SCSI Write Data-out PDUs

User Data as payload

11 None None

No payload and SCSI Data Field

14, 15, 16 25, 28, 31, 37, 40, 43, 49, 52, 55, 61, 64,

67,73, 76, 79, 85, 88, 91, 94, 97, 100, 103

111, 113, 114

Spurious payload and no SCSI Data

Field

None 22 None

Possible File System Content as Payload

and SCSI Data Field

None 34, 70, 82 None

Spurious payload and SCSI Data Field

None 46, 58 None

No payload and no SCSI Data Field

None None 109

Table 8-1: Packets for copying file to mounted storage disk

Figure 8-5: Data field in SCSI payload contained within a Data-out PDU

107

8.4 Reading from Mounted Target Storage using cp

The log obtained when reading a file from a mounted target storage disk using the cp command is

shown in Figures 8-6 and 8-7. The initial iSCSI/SCSI command was a ‘Read’, the plain vanilla

TCP packet following it contained the names of the directories and files currently on the target

storage disk. This can be seen in Figure 8-6. This iSCSI/SCSI ‘Read’ was followed by three

more ‘Reads’. The user data was found in a TCP packet associated with the second of these

additional three ‘Reads’. This is shown in Figure 8-7.

In addition to the ‘Reads’, there were two iSCSI/SCSI ‘Writes’ and associated Data-out PDUs. In

some of the Data-out PDUs, the payload was empty while in others there was data. However, the

data could not be identified.

108

Figure 8-6: Contents of TCP packet following the first iSCSI/SCSI ‘Read’

109

Figure 8-7: Reading from mounted target storage using cp

8.5 Summary

From the above discussion, it should be obvious that some way must be found to differentiate

between iSCSI/SCSI ‘Write’s’ and potentially iSCSI/SCSI ‘Read’s’, and their associated Data-in

and Data-out PDUs sent when mounting a target and when writing or reading a file to/from the

target storage using the cp command.

It is believed that examination of the system calls issued in when mounting the target, writing and

reading user data with the cp command may assist in identifying why some of the iSCSI/SCSI

‘Writes’ and ‘Reads’ appear .

110

Chapter 9

9. Disaster Recovery

As a society, we have become increasingly reliant on computers and associated technologies for

both business and pleasure. As such, loss of computer services can be anything from a nuisance

for a home user to a major problem for businesses.

Loss of computer services can result from major disasters, which hit the headlines, such as

hurricanes, floods, and fires. However, disasters can also encompass what appear to be innocuous

events such as planned and unplanned downtime. Planned downtime has the potential to be

considered a disaster if it exceeds the allotted time planned. Unplanned downtime can result from

such things as user errors, application errors, application and hardware failures, network outages,

false alarms, etc. The reality is that these events, which constitute 95% of what are considered

disasters in computer terms, can result in negative impacts on businesses in terms of trading,

profits, and failure to comply with legal requirements.

9.1 Disaster Recovery Plan

Obviously, since the impact of loss of computer services can be wide ranging, it is essential that

every business and organization have a disaster recovery plan. Such a plan will allow a business

to deal with potential disasters and minimize the impact of a disaster should it occur. The success

or failure of disaster recovery depends to a certain extent on the time take between a disaster and

the restoration of services. In the past, backups of data were made to onsite storage facilities.

However, events such as the disaster at the World Trade Center and the devastation caused by

111

Hurricane Katrina have highlighted the fact that in the case of a catastrophic event, onsite back up

will be totally ineffective.

In order to develop a disaster recovery plan, a business or organization must first carry out a risk

assessment. This enables the identification of potential risks, and their significance in terms of the

business or organization. The exact nature of the disaster recovery plan will vary from business to

business, and is beyond the scope of this project. However, it should incorporate a restart solution

to enable the timely restoration of services, and the total replication of all data and other vital

records.

9.1.1 Restart Solutions

The restart solution chosen will depend upon the nature of the business or organization for which

the disaster recovery plan has been developed. A number of restart solutions have been identified

by Hiles [1-4]. These include fortress, cold site, warm site, hot site, fault tolerant systems, and

continuous operation.

Fortress

A fortress restart solution is defined as one in which management seek to limit risk to a level

where it is decided any further recovery plan is unnecessary.

Cold Site

The cold site solution “provides an environment in which a new computing service can be built

from scratch in time” [1-4]. Obviously, for most businesses the cold site solution is not a viable

solution that can be adopted if they are to stay in business. The reason for this is the length of

time that would be required to reestablish the necessary services. For most

businesses/organizations the only truly viable solutions are warm site, hot site, fault tolerances, or

continuous operation.

112

Warm Site

A warm site solution provides both the environment and basic infrastructure that will allow the

necessary “computing services to be reinstated before its absence becomes critical to business

survival” [1-11].

Hot Site

A hot site is effectively a duplication of the primary computing system located at another site.

However, it does not have all the applications installed upon it.

Fault Tolerant System

A fault tolerant system seeks to eliminate hardware failure through replication of components and

potentially data.

Continuous Operation

Continuous operation provides continuous shadowing or mirroring of the system at an alternate

site. For the purposes of this project, interest is limited to the backup or mirroring of data.

9.2 Secure Asymmetric iSCSI for Disaster Recovery

The advent of online storage has somewhat simplified the backing up of computer data through

mirroring, etc at a remote location. However, with the new regulations of HIPPA and SOX, the

duplication of the data may no longer be sufficient. The backed up data needs to be securely

stored – this is where the Secure Asymmetric iSCSI for Online Storage scheme could be utilized.

However, the problem that needs to be resolved in terms of disaster recovery is that of the key to

decrypt the stored data. In the current implementation, the data is stored on the target in an

encrypted form. As a result, if the initiator is destroyed in a disaster, it will no longer be possible

to decrypt the data that is safely stored on the target, which in effect makes the data useless.

113

Potential solutions are:

1. Duplicating the initiator and consequently custom encryption/decryption key at a

secondary location.

2. Storing the key with a trusted third party such as Verisign.

A potential problem with the first solution is that the custom key is now available at two

locations. Thus the security is in effect diluted.

The second solution would appear to be a better option. However, this can also be problematic in

that the third party must be trusted but more significantly, in the event of a disaster it may take

some time to recover the key from the third party. The time taken may not be acceptable in terms

of the delay of restoring availability of data.

Since neither of the above solutions is ideal, this is certainly an area which needs further

consideration.

114

Chapter 10

10. Lessons Learnt and Observations

During the course of this project a number of lessons have been learnt and a number of

observations have been noted. These are presented here.

The sg_dd code uses defaults of standard input stream (stdin) for the input file (if) and

standard output stream (stdout) for the output file (of) if values are not provided on the

command line. In addition, if no data is to be written an output file of /dev/null must be

specified on the command line. This information was utilized in the enhancements to the

code for transferring files to two targets. The enhancements to the code require that two

targets be specified. Thus, when reading from a target back to the initiator the second

output file (of_1) is given a default value of /dev/null.

During the project, both Wireshark and its earlier incarnation Ethereal were used to

collect and examine network traffic. It was noted that when using the different versions to

examine the same file, different packets were displayed. It appears that the different

versions interpret/display packets in a different manner. In order to avoid confusion, and

since Wireshark is the currently available version, it was used to examine and compare

all network traffic logs.

When an iSCSI connection is established between an initiator and target, commands

issued to mount a target storage disk, or write/read user data using the cp utility, result in

additional calls occurring in the kernel. Some of these are subsequently passed to the

iSCSI layer for processing. As a result, additional iSCSI/SCSI ‘Write’ and ‘Read’

commands may be issued along with their associated Data-in and Data-out PDUs, and

TCP packets.

115

During efforts to develop the arbitrary file transfer implementation, the author attempted

to enhance the code such that only the user data present in the target file would be

retrieved. In order to do this, it was necessary to determine the number of bytes of user

data stored in the target file. From this, the count value required by the sg_dd command

could be determined. A number of problems were encountered which made these

attempts unsuccessful. As stated, the target storage used in the EASI implementation is a

file. Therefore, using commands such as ‘stat’ to determine the size, returns the size of

the entire storage file and not just the user data it contains. Attempts to determine the size

of the user data by identifying trailing white space were also unsuccessful. Encryption of

the user payload, results in a false value of the number of bytes being returned when

attempts are made to read the number of characters.

During the course of this project, the author attempted to update the EASI

implementation for use on a more recent version of the Linux kernel and to utilize the

most current versions of open-iscsi and iscsitarget. On examining recent versions of the

Linux kernel (2.6.21 through 2.6.24), it was found that significant changes have been

made to the kernel code, including the IPsec code. As a result, significant rewriting of

Mr. Andukuri’s code would be necessary. Although efforts were made to amend the

code, it was found not to be straightforward. After considerable effort, it was decided that

these changes should be made outside this project. This observation highlights an

important point, any future developments on this project should take into consideration

changes to the kernel code. If the implementation is to ultimately be utilized in a real

world environment, then ideally it should be included in the kernel tree.

116

Chapter 11

11. Future Directions

Although advances have been made in this project, it still remains a proof of concept. The work

undertaken during this project has identified a number of areas for future work. The suggested

future directions are presented here.

Modify the EASI scheme to use the most current Linux kernel version, open-iscsi and

iscsitarget code. This will necessitate examination of the current Linux kernel code and

the kernel code used in the existing EASI scheme to determine the changes made that

affect the encryption process.

Re-implement the EASI scheme in a way that mounted target storage disk can be used. In

view of the findings of the additional research, this will require an in-depth study of the

additional tasks performed by the kernel to execute the mount command. It will also

require a different method to be used to identify iSCSI/SCSI packets related to the mount

command, as well as enhancing the re-implemented scheme to allow the transfer of files

of arbitrary size. It is suggested that in addition to changes to the IPsec code, this may

require changes to the SCSI and iSCSI implementations, and/or redevelopment of the cp

command specifically for use with iSCSI. This may require the code to construct SCSI

CDBs as is the case in the sg_dd code. It is anticipated that when the cp command is

issued, the file size will have to be calculated, and any padding required by the chosen

encryption algorithm will also need to be calculated. This information may then be added

into the SCSI CDB thus preventing the target from rejecting the packet.

117

Improve the simplification of the setup and use of the implementation through the

development of an API.

Enhance the implementation to utilize a dynamic method, such as ‘racoon’, for

establishing security associations between the initiator and target - this should not be used

for the custom key for encryption/decryption of the user data.

Enhance the scheme to use a non hard coded custom key.

If the scheme is to be used for disaster recovery, the custom key must be accessible after

the disaster in order to decrypt data. This means that the custom key must be available at

another location which poses a problem. The more copies of the key that exist, the less

secure it may potentially become. One solution would be to use a third party to securely

store the key. The downside of this strategy is that it could increase the time to recover

from a disaster, since proof may be needed by the third party in order to retrieve the key.

118

Chapter 12

12. Conclusions

The enhancements to the Efficient Asymmetric Secure iSCSI scheme provided in Secure

Asymmetric iSCSI for Online Storage address some of the problems in bringing the

implementation closer to a viable solution for real world usage.

Transfer of arbitrary sized files has been simulated through enhancements to the sg_dd utility.

Results from the performance tests suggest that the enhancements do not significantly degrade

overall performance.

Additional enhancements were made to the sg_dd utility such that user data could be transferred

to two targets. As with the enhancements for files of arbitrary size, performance tests were

undertaken. The results obtained again suggested that the enhancements do not significantly

degrade overall performance.

Despite the enhancements a number of limitations still exist:

When transferring files of arbitrary size, the user must still specify a count value when

retrieving user data from the target storage. Consequently, they must know the size of the

file on the target storage.

When an arbitrary size file is sent to the target storage, additional data beyond that of the

actually data size it sent. This is done in order that the encryption scheme will not be

broken. As a result, when the user data is retrieved from the target it is no longer of

arbitrary size, rather it is rounded to the next block size (1024 bytes).

119

The enhancements for the transfer of files of arbitrary size were designed specifically for

the existing test bed. Therefore, limitations may exist on other test beds dependent on

how the target storage is identified.

When retrieving user data using the sg_dd utility enhanced to transfer files to two targets,

the file is only retrieved to a single initiator. As a result, the second ‘of’ value in the

command line is set to a default of /dev/null. This means that no data is in fact transferred

to what would be a second initiator. It is not clear whether the specification of /dev/null

as the second ‘of’ results in additional processing being undertaken. This warrants further

investigation.

Additional research has shown that mounting of a target storage disk results in the sending of

iSCSI/SCSI ‘Writes’ and ‘Reads’ which will be interpreted by the Efficient Asymmetric Secure

iSCSI scheme as user data. As a result, mounting of a target storage disk is not possible with the

existing encryption scheme. However, it is believed that usage of a mounted target storage disk

will be possible. This will require changes to be made to the IPsec code to allow packets

transferred during the mount process to be separately identified from those containing user data.

This may also require changes to the SCSI and possibly iSCSI code in order to differently label

such packets.

120

Bibliography

[1-1] Ensuring Data Integrity: Logical Data Protection for Tape Systems,http://www.crossroads.com/Library/WhitePapers/FeaturedWhitePapers.asp

[1-2] HIPAA. Health Insurance Portability and Accountability Act 1996,http://www.legalarchiver.org/hipaa.htm

[1-3] The Sarbanes-Oxley Act 2002, http://www.legalarchiver.ord/soa.htm

[1-4] Andrew Hiles, Surviving a Computer Disaster, Engineering Management Journal, December 1992

[1-5] Fibre Channel – Overview of the Technology, http://www.fibrechannel.org/technology/overview.html

[1-6] http://ceva-dsp.mediaroom.com/index.php?s=glossary

[1-7] http://www.sunrise.uk.com/glossary.html

[1-8] Ulf Troppens, Rainer Erkens and Wolfgang Müller, Storage Networks Explained: Basics and Application of Fibre Channel SAN, NAS, iSCSI and InfiniBand, 2004, Wiley & Sons Ltd, ISBN: 978-0-470-86182-0

[1-9] Jane Shurtleff, IP storage: A review of iSCSI, FCIP, iFCP http://www.iscsistorage.com/ipstorage.htm

[1-10] iSCSI for Storage Networking, http://www.snia.org/forums/ipsf/programs/about/isci/iSCSI_for_Storage_Networking.pdf

[1-11] Murthy S. Andukuri, Efficient Asymmetric Secure iSCSI,http://cs.uccs.edu/~gsc/pub/master/msanduku/doc/report_final.doc

[2-1] Friedhelm Schmidt, SCSI Bus and IDE Interface – Protocols, Applications and Programming, Addison-Wesley, 1995, ISBN: 0-201-17514-2

[2-2] Marc Farley, Storage Networking Fundamentals: An Introduction to Storage Devices,

Subsystems, Applications, Management, and File Systems, Cisco Press, 2005, ISBN 1-58705-162-1

[2-3] Thomas C. Jepsen, Distributed Storage Networks: Architecture, Protocols and Management, 2003, Wiley & Sons Ltd, ISBN:0-470-85020-5

[2-4] iSCSI Technical White Paper, SNIA IP Storage Forum,http://www.snia.org/forums/ipsf/programs/about/isci/iSCSI_Technical_whitepaper.PDF

[2-5] Integration Scenarios for iSCSI and Fibre Channel. SNIA IP Storage Forum,http://www.snia.org/forums/ipsf/programs/about/isci/iSCSI_FC_Integration_IPS.pdf

http://www.snia.org/forums/ipsf/programs/about/isci/iSCSI_FC_Integration_IPS.pdf

http://www.snia.org/forums/ipsf/programs/about/isci/iSCSI_Technical_whitepaper.PDF

http://cs.uccs.edu/~gsc/pub/master/msanduku/doc/report_final.doc

http://www.snia.org/forums/ipsf/programs/about/isci/iSCSI_for_Storage_Networking.pdf

http://www.iscsistorage.com/ipstorage.htm

http://www.sunrise.uk.com/glossary.html

http://ceva-dsp.mediaroom.com/index.php?s=glossary

http://www.fibrechannel.org/technology/overview.html

http://www.legalarchiver.ord/soa.htm

http://www.legalarchiver.org/hipaa.htm

http://www.crossroads.com/Library/WhitePapers/FeaturedWhitePapers.asp

121

[2-6] Shuang-Yi Tang, Ying-Pang Lu and David H. C. Du, Performance Study of Software-Based iSCSI Security, Proceedings of the First International IEEE Security in Storage Workshop (SISW ’02)

[2-7] American National Standard for information systems - Small Computer System Interface (SCSI) –Draft, December 16, 1985, http://www.t10.org/ftp/t10/drafts/s1/s1-r17b.txt

[2-8] Information technology - Small Computer System Interface – 2, Working Draft, 7th September 1993, http://www.t10.org/ftp/t10/drafts/s2/s2-r10l.pdf

[2-9] http://www.t10.org/scsi-3.htm

[2-10] http://www.t10.org/ftp/t10/document.00/00-269r1.pdf

[2-11] http://www.t10.org/lists/op-alph.txt

[2-12] Gary Field, Peter Ridge et al., The Book of SCSI, 2nd Edition, No Starch Press, 2000, ISBN: 1-886411-10-7

[2-13] M. Tim Jones, Anatomy of the Linux SCSI subsystem http://www.ibm.com/developerworks/library/l-scsi-subsystem/index.html

[2-14] Douglas Gilbert, The Linux 2.4 SCSI subsystem HOWTO, http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/pdf/SCSI-2.4-HOWTO.pdf

[2-15] http://www.andante.org/scsidoc/SCSI-3.html

[2-16] Yingping Lu and David H. C. Du, Performance Study of iSCSI-Based Storage Subsystems, IEEE Communications Magazine, August 2003, pp 76-82.

[2-17] Integration Scenarios for iSCSI and Fibre Channel.http://www.snia.org/forums/ipsf/programs/about/isci/iSCSI_FC_Integration_IPS.pdf

[2-18] Irina Gerasimov, Alexey Zhuravlev, Mikhail Pershin and Dennis V. Gerasimov, and Implementation of a Block Storage Multi-Protocol Converter, Proceedings of the 20 th

IEEE/11th NASA Goddard Conference of Mass Storage Systems and Technologies (MSS’03)

[2-19] John L. Hufferd, iSCSI The Universal Storage Connection, Addison Wesley, 2003, ISBN: 0-201-78419-X

[2-20] Internet Small Computer Systems Interface (iSCSI), http://www.ietf.org/rfc/rfc3720.txt

[2-21] Storage Networking Protocol Fundamentals: A Comparative Analysis of Ethernet, TCP/IP, and Fibre Channel in the Context of SCSI, James Long, Cisco Press, 2006, ISBN: 1587051605

[2-22] iSCSI Building Blocks for IP Storage Networking, A SNIA IP Storage Forum Whitepaper. http://www.snia.org/forums/ipsf/programs/about/isci/iSCSI_Building_Blocks_01.pdf

http://www.snia.org/forums/ipsf/programs/about/isci/iSCSI_Building_Blocks_01.pdf

http://www.ietf.org/rfc/rfc3720.txt

http://www.snia.org/forums/ipsf/programs/about/isci/iSCSI_FC_Integration_IPS.pdf

http://www.andante.org/scsidoc/SCSI-3.html

http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/pdf/SCSI-2.4-HOWTO.pdf

http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/pdf/SCSI-2.4-HOWTO.pdf

http://www.ibm.com/developerworks/library/l-scsi-subsystem/index.html

http://www.t10.org/lists/op-alph.txt

http://www.t10.org/ftp/t10/document.00/00-269r1.pdf

http://www.t10.org/scsi-3.htm

http://www.t10.org/ftp/t10/drafts/s2/s2-r10l.pdf

http://www.t10.org/ftp/t10/drafts/s1/s1-r17b.txt

122

[2-23] http://sg.torque.net/sg/sg_dd.html

[2-24] http://sg.torque.net/sg/sg3_utils.html

[3-1] Charles Kozierok, The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols Reference, 2005, No Starch Press, ISBN: 15932704X

[3-2] Deb Shinder, Securing Data in Transit with IPSec, July 2004, http://www.windowsecurity.com/articles/Securing_Data_in_Transit_with_IPSec.html

[3-3] Steve Friedl, An Illustrated Guide to IPSec, http://www.unixwiz.net/techtips/iguide-ipsec.html

[3-4] http://www.ipsec-howto.org/x202.html

[3-5] Ralf Spenneberg, IPSec HowTo,http://www.ipsec-howto.org/ipsec-howto.pdf

[B-1] Chris Huss and Mike Laverick, UltimateP2V using Qui Hong’s FixVM-SCSI and NU2’sBartPE,http://www.rtfm-ed.co.uk/docs/vmwdocs/whitepaper-ultimateP2V-QuickStart.pdf

[B-2] Saroj Patil, Study of P2V and V2P Using UltimateP2V, http: // cs.uccs.edu/~cs522/studentproj/projF2006/spatil/doc/report.doc

http://cs.uccs.edu/~cs522/studentproj/projF2006/spatil/doc/report.doc

http://www.rtfm-ed.co.uk/docs/vmwdocs/whitepaper-ultimateP2V-QuickStart.pdf

http://www.ipsec-howto.org/ipsec-howto.pdf

http://www.ipsec-howto.org/x202.html

http://www.unixwiz.net/techtips/iguide-ipsec.html

http://www.windowsecurity.com/articles/Securing_Data_in_Transit_with_IPSec.html

http://sg.torque.net/sg/sg3_utils.html

http://sg.torque.net/sg/sg_dd.html

123

Appendices

A. Wireshark

As stated in the main body of the report, Wireshark is a network protocol analyzer. In order to

install and use Wireshark, a number of other packages must be installed. This appendix provides

a brief overview of the packages and installations required for Wireshark in a Linux environment.

Full documentation of the Wireshark tool can be found at http://www.wireshark.org/docs/.

The packages that must be installed before Wireshark can be installed are GTK+ (The GIMP

Toolkit), Glib, libpcap and libpcap-devel.

GTK+ or The GIMP Toolkit is a cross-platform widget toolkit use for creating graphical user

interfaces. Glib is a cross-platform utility library used by GTK+. It provides data structure

handling for C, portability wrappers, and interfaces for such runtime functionality as an event

loop, threads, dynamic loading, and an object system.

libpcap is a library which provides a packet filtering mechanism based on the BSD packet filter

(BPF). It is the packet capture software used by Wireshark. libpcap-devel provides additional

libraries required to compile programs that use libpcap.

Prior to installing Wireshark, it is first necessary to ensure that the other required packages were

in place. The writer found that the F7 installation being used for development and testing already

had GTK+ and Glib installed. As such, no further discussion of these packages will take place.

Further information can be found at http://www.gtk.org/.

The libpcap and libpcap-devel packages were found to be absent from the installation. These

were installed using the commands below:

http://www.gtk.org/

http://www.wireshark.org/docs/

124

yum install libpcap

yum install libpcap-devel

Once the above two packages had been installed, the source file for Wireshark was obtained from

http://sourceforge.net/project/showfiles.php?group_id=255. Once downloaded, the wireshark-

0.99.8.tar.gz was extracted to the /usr/src/ directory using the following command:

tar –xvf wireshark-0.99.8.tar.gz

The wireshark-0.99.8 directory was then entered and the following commands were used to build

the application from the source code.

cd wireshark-0.99.8

./compile

make

make install

The application can then be started by typing ‘wireshark’on the command line.

http://sourceforge.net/project/showfiles.php?group_id=255

125

B. UltimateP2V and VMware Server Virtual Machine Creation

This appendix provides details for creating a virtual machine on VMware Server, and using

UltimateP2V to creating a clone of a physical machine and installing it on the virtual machine.

UltimateP2V is software (plug-in) that enables the user to clone a physical machine to a virtual

machine and vice versa. For the purposes of this project, only cloning of physical to virtual

machines was undertaken. In addition to cloning the physical machine, the software also allows

necessary system reconfiguration to be carried out in order to make the virtual machine bootable.

UltimateP2V utilizes BartPE (Bart Preinstalled Environment) to boot both the physical and

virtual machines. The clone of the hard disk is created using Symantec Ghost software.

The first stage in creating a clone of the physical machine requires the creation of a BartPE

bootable iso image. Full details of this process can be found in the paper by Huss and Laverick [B-

1] and the report of Patil [B-2] and will not be reproduced here. In this project the BartPE bootable

CD/iso image created by Patil was utilized.

The remaining steps for the P2V transfer are as follows:

1. Creation of a virtual machine on the VMware Server

2. Booting both the physical and virtual machines using the UltimateP2V CD

3. Cloning of the hard disk from the physical machine using Symantec Ghost

4. Booting the virtual machine and configuring the operating system for the hardware

components present.

126

B.1 Creation of a virtual machine on the VMware Server

Figure B-1 shows the virtual machine wizard graphical user interface displayed once the

VMware Server console has been started, and the selection has been made to create a new virtual

machine.

Figure B-1: VMWare Server Console

The next window is the configuration user interface which is shown in Figure B-2. For the

purposes of this project, the custom configuration was selected since this allows more specific

machine parameters to be specified than when using the typical configuration.

The next window presented, shown in Figure B-3, allows the user to select the guest operating

system (OS) and which version of the operating system to be used. Here the Linux was selected

as the OS with the particular version being Red Hat Linux.

127

Figure B-2: Typical or Custom Virtual Machine Configuration

Figure B-3: Selecting Guest Operating System

Having determined the OS and version, the next stage in the creation of the virtual machine is the

naming of the virtual machine and the location to which it is to be saved. The selections made in

this case are shown in Figure B-4.

128

Figure B-4: Naming of the Virtual Machine

The next stages of the configuration were to set the access rights, Figure B-5, the

startup/shutdown options, Figure B-6, the processor configuration, Figure B-7 and the amount of

memory for the virtual machine, Figure B-8.

In terms of access rights, it was decided to make the virtual machine private such that only the

user account used to create the virtual machine would have access to it. This was done in order to

prevent unauthorized users from making changes to the machine that could impact the EASI

implementation installed on the machine. The virtual machine account was selected as the user

powering on the virtual machine and as such, the startup and shutdown options were not

available.

129

Figure B-5: Setting the Access Rights

Figure B-6: Startup/Shutdown Options

In terms of the processor, the physical machine had only one processor and as such this option

was selected for the virtual machine. The memory allocated to the virtual machine was set to be

512MB.

130

Figure B-7: Processor Configuration

Figure B-8: Virtual Machine Memory

The next stages of the configuration involve selecting the type of network connection, Figure A-9

and the I/O adapter type, Figure A-10. The network connection selected for the machines used in

this project was bridge networking. The I/O adapter type selected was a SCSI adapter with LSI

logic.

131

Figure B-9: Network Connection

The last few steps of configuring the virtual machine include the selection of disk for the virtual

machine drive to use, the disk type, disk capacity, and the disk file name. Since the virtual

machine was to utilize a cloned image of the physical machine, a new virtual disk was created as

can be seen in Figure B-11. The virtual disk type selected was SCSI (Figure B-12). The size of

the disk was set to be 40GB as shown in Figure B-13. This size was chosen because the image

itself was approximately 20GB. Finally, the name of the disk file was specified. This is shown in

Figure B-14.

132

Figure B-10: I/O Adapter Types

Figure B-12: Virtual Disk

133

Figure B-13: Disk Type Selection

Figure B-14: Disk Capacity

134

Figure B-15: Disk File

This completes the steps in the initial creation and configuration of the virtual machine. The next

step in creating the virtual machine from the physical machine requires both the virtual machine

and physical machine to be booted from the UltimateP2V CD. However, before starting the

virtual machine, it was first necessary to change the boot in order to boot from the CD instead of

hard disk. This was achieved by clicking on the virtual machine tab (Figure B-16) selecting ‘Edit

virtual machine settings’ and then choosing the CD ROM and setting the path to it as shown in

Figure B-17.

135

Figure B-16: Virtual Machine Tab

Figure B-17: Editing the machine settings to boot from the CD

136

B.2 Booting the Virtual Machine with the UlitimateP2V CD

The next step in creating the virtual machine from the physical machine requires both the virtual

machine and physical machine to be booted from the UltimateP2V CD. Since it was not possible

to take screen shots from the physical machine, only the virtual machine information is discussed.

Once the virtual machine booted from the CD, the window shown in Figure B-18 relating to

network support was displayed. Since it was necessary to have network support to enable the disk

transfer from the physical to virtual machine, network support was started.

Figure B-18: Window for Network support

On choosing to start network support, the window shown in Figure B-19 was displayed.

From the list in this window, ‘Static IP Address (Manual) was selected. The IP address details

were then entered in the next window, shown in Figure B-20.

137

Figure B-19: Network Configuration Profile

138

Figure B-20: IP Address Configuration

B.3 Cloning the Hard Disk from the Physical Machine

The next step in the process was to clone the hard disk from the physical machine. This was

achieved by peer-to-peer transfer available using the Ghost software. This requires a number of

steps to be carried out on both the virtual and physical machines.

Operations on the Virtual Machine

On the main window displayed on the virtual machine click on the ‘GO’ button, from the options

displayed, choose ‘Programs’ followed by ‘Symantec Ghost8’ and then ‘Ghost32’. From the next

list displayed, shown in Figure B-21, select ‘Peer to Peer’, ‘TCP/IP’ and then ‘Slave’.

139

Figure B-21: Selecting Peer to Peer transfer via TCP/IP in Slave Mode

Operations on the Physical Machine

On the main window displayed on the virtual machine click on the ‘GO’ button, from the options

displayed choose ‘Programs’ followed by Symantec Ghost8 followed by Ghost32. From the next

list displayed select ‘Peer to Peer’, followed by ‘TCP/IP’ followed by ‘Master’. In ‘Slave TCP/IP

Address to Join to’ window displayed, type the IP address of virtual (slave) machine.

On the Physical machine choose the ‘Disk To Disk’ transfer option in Ghost. Then select the

local source drive by clicking on the drive number. This is the disk where the local operating

system is located. Then click ‘OK’. Repeat this process for the remote destination drive. In this

case, the first disk should be selected. No screen shots are available for these steps since it was

not possible to take screen shots from the physical machine.

140

The cloning of the physical machine takes place. On completion of the cloning process, a ‘Clone

complete dialog box’ is displayed. This is displayed on both the physical and virtual machines.

On the physical machine the UltimateP2V CD should be removed and the ‘Restart Computer’

button should be clicked. In the case of the virtual machine the ‘Continue button should be

clicked and Ghost should be closed. Once this has been done, the GRUB menu of the newly

cloned virtual machine should displayed, as shown in Figure D-22.

Figure B-22: GRUB Menu of Newly Cloned Virtual Machine

Dependent upon whether the devices connected to the virtual machine are different from the

physical machine, it may be necessary to configure them. This was not found to be necessary in

this case.

141

C. Creating a Mounted Target Storage Device

Various devices can be provided by the target to the initiator as storage. These include regular

files, block devices and virtual block devices such as RAID and LVM. For the purposes of this

project, it was decided to add an additional Hard Disk to the target server machine and configure

it as a LVM virtual block device to act as the storage. This appendix provides the details of

creating an additional hard disk and LVM on the VMware image of the University test bed target

machine along with the steps required to make the hard disk useable as a storage target.

C.1 Creation of an Additional Hard Disk

The first step in the creation of the storage device is to add an additional hard disk to the existing

virtual machine. This must be done with the virtual machine powered off. In the VMware target

machine display, select ‘Edit virtual machine settings’. This will display the machine settings

graphical user interface shown in Figure C-1.

Next select ‘Add’ this will result in the hardware disk wizard being displayed, as shown in

Figure C-2. Select ‘Next’ and then ‘Hard Disk’, as shown in Figure C-3, select ‘Next’ and in the

‘Select a Disk’ screen (Figure C-4) choose ‘Create a new virtual disk’ and click ‘Next’.

The next screen prompts the user for a disk type, select ‘IDE’, (Figure C-5), and click ‘Next’.

When prompted for a disk capacity select the desired capacity, in this case 2G was chosen, then

deselect ‘Allocate all disk space now; as shown in Figure C-6 and then click ‘Next’.

In the next window, shown in Figure C-7, accept the default value for the disk file name and

click ‘Finish’. On the last screen click ‘OK’ and this will complete the addition of the extra hard

disk.

142

Figure C-1: Graphical user interface for editing the virtual machine settings.

Figure C-2: Hardware Wizard display

143

Figure C-3: Hardware addition selector

Figure C-4: Select a Disk

144

Figure C-5: Select a Disk Type

Figure C-6: Specify disk capacity and allocation

145

Figure C-7: Disk file name

C.2 Configuring the Added Hard Disk as an iSCSI Target Device

Having added an additional hard disk to act as the storage, the next step is to create the LVM and

configure it for use.

On the Target Machine

1. Create the physical volume

[root@starget ~]# lvm

lvm > pvcreate /dev/hdb1

2. Create a virtual group

lvm > vgcreate vg /dev/hdb1

3. Create logical volume(s)

lvm > lvcreate –L 1.75G –n sasdisk vg

146

4. Exit lvm by typing the command ‘exit’

5. Edit the ietd.conf file

[root@starget ~]# cd /etc

Add the following entry to the ietd.conf file:

Target iqn.2008-04.com.testbed.scsi.disk.vg.sasdisk

Lun 0 Path=/dev/vg/sasdisk,Type=fileio

6. Start the iSCSI target

cd /etc/init.d

./iscsi-target start

On the Initiator Machine

Start the iSCSI initiator

./start_scsi_iscsi start

The above file starts the iSCSI initiator and discovers targets to which it can be connected. At the

end of a lot of output, the discovered targets are displayed. A typical example is shown of the

output is shown below.

[ad7a1f] 192.168.2.69:3260,1 iqn.2008-04.com.testbed:scsi.disk.vg.sasdisk

2. Login to the discovered target

./iscsiadm --m node --record ad7a1f --login

3. Format the LV that appears as the target storage.

To check that the scsi device is visible to the initiator type:

fdisk -l

147

You should see disk /dev/sda with info that it does not contain a valid partition table.

fdisk /dev/sda

At the prompt the following should be selected:

n (to add a new partition)

p (to select primary partition)

1 (partition number)

First cylinder : 1

Last cylinder: accept the default

w (to write the partition table)

4. Create a file system

mkfs –t ext3 /dev/sda or mkfs.ext3 –j c –b 1024 /dev/sda

6. Mount the partition

mkdir /mnt/iscsi_disk

mount /dev/sda /mnt/iscsi_disc

The target storage device is now mounted on the initiator and can be used for transfers. However,

if transfers are undertaken and then the initiator and target are shut down, you will not be able to

use sda after rebooting unless the following changes are made on the initiator.

Edit the iscsid.conf file

cd /etc

148

In the iscsid.conf file, change the entry:

node.startup=manual

to

node.startup=automatic

Once all transfers have been completed, the storage device should be unmounted and the sync

command executed.

umount /mnt/iscsi_disk

sync

The sync command is necessary because the initiator’s kernel thinks that it is the only entity to

ever access the scsi disk and therefore it may have buffered mount state.

149

D. Typical run through for Transferring Arbitrary Sized Files

D.1 Starting the Target and Initiator Software

The following are the commands for starting the target and initiator software. It should be noted

that the target software should be started first.

Start the target software

cd /etc/init.d

./iscsi_target start

Start the initiator software

cd /etc/init.d

./open-iscsi start

Discover target

The following commands are to be carried out on the initiator.

cd /root/open-iscsi-0.4-434/usr/

./iscsiadm -m discovery –t sendtargets –p 192.168.2.69:3260 –d10

Login to Target



./iscsiadm -m node --record df5b51 –login

150

D.2 Write User Data to the Target

The following command writes a file of slightly less than 10MB to the target storage.

sg_dd if=test_file_10MB-.txt of=/dev/sda bpt=1 odir=1 skip=0 seek=0

D.3 Reading User Data from the Target

The following command reads the user data from the target file back to the initiator.

It should be noted that the count value must be specified.

sg_dd if=/dev/sda of=10MB-ret.txt bpt=1 odir=1 skip=0 seek=0 count=10240

151

E. Typical run through for Transferring to Two Targets

E.1 Starting the Target and Initiator Software



Start the target software

cd /etc/init.d

./iscsi_target start

Start the initiator software

cd /etc/init.d

./open-iscsi start

Discover targets





Login to Target(s)



./iscsiadm -m node --record df5b51 –login

./iscsiadm -m node --record f2adee –login

152

E.2 Write User Data to the Target(s)

The following command writes a file of 100MB to the two targets.

sg_dd if=test_file_100MB-.txt of=/dev/sda of_1= /dev/sdb bs=1024 count=10240 bpt=1 odir=1

skip=0 seek=0

E.3 Reading User Data from the Target



sg_dd if=/dev/sda of=100MBret.txt bs=1024 bpt=1 odir=1 skip=0 seek=0 count=102400

153

F. Python and Tkinter

Python is a powerful open source dynamic programming language which is relatively easy to

learn and available for most major operating system. Python was used to develop the user

interface to simplify the tasks of generating keys and transferring files. Since these tasks are

likely to be carried out by systems administrators, the main purpose of the user interface is

functionality rather than to be ascetically pleasing. As such, Python is an ideal choice for

developing the user interface.

The Graphical User Interfaces (GUI’s) used for the configuration of the initiator and target and

the transferring of files was created using the Python programming language. Although it is not

necessary to understand or modify the code in order to use the GUI, it is necessary to have Python

and its associated GUI module (Tkinter) installed on both the initiator and target machines if the

GUI is to be used to configure the system and transfer files. The following are instructions for

installing Python and Tkinter on a Linux OS.

The versions of Python and Tkinter used for this project are python-2.4.3-8.FC4 and tkinter-

2.4.3-8.FC4 respectively. They can be installed using the following commands:

yum install python-2.4.3-8.FC4

yum install tkinter-2.4.3-8.FC4

Once installed python programs can be run using the command:

Python filename.py

154

G. User Interface Operating Instructions

As stated in the main body of this report, two user interfaces were developed, one for use on the

initiator and the other for use on the target. This appendix provides details regarding the operation

of these user interfaces.

The main purposes of the GUI’s are to start/stop the target software, start/stop the initiator

software, discover available target storage and login/logout to/from the target storage, and write

and reading files. In addition, both GUI’s provide additional functionality. This is discussed later

in this appendix.

G.1 Starting the Target Graphical User Interface

The first step is to start the target GUI. This is achieved by opening a terminal window on the

target machine(s). In this case, starget1 is being used. In the terminal window the following

command should be executed:

[root@starget1~]# python user_target_final.py

This results in the launching of the target GUI and the display of the main GUI window as shown

in Figure G-1. As can be seen a number of tabs are available in the GUI.

155

Figure G-1: Initial Window of Target Processing GUI

G.2 Starting the Target Software

In order to start the target software, the ‘Start/Stop Target’ tab should be selected. This results in

the screen shown in Figure G-2 being displayed. To start the target software, click on the ‘Start

Target’ button. Confirmation that the target software has started is displayed in the text display

box, as can be seen in Figure G-3.

156

Figure G-2: Start/Stop Target Tab of Target Processing GUI

Figure G-3: Message indicating that the Target Software has been Started

157

G.3 Starting the Initiator Graphical User Interface

The next step is to start the initiator GUI. This requires that the user changes to the initiator

machine (siscsi in this case).

Once on the initiator machine, a terminal window must be opened and the following command

should be executed.

[root@starget1~]# python user_initiator_final.py

This results in the launching of the initiator GUI and the display of the main initiator GUI

window as shown in Figure G-4. As with the target GUI, a number of tabs are available on the

initiator GUI.

Figure G-4: Initial Window of Initiator Processing GUI

158

G.4 Starting Initiator Software

In order to start the initiator software, the ‘Start Initiator’ tab should be selected. This results in

the screen shown in Figure G-5 being displayed.

To start the initiator software, click on the ‘Start Initiator’ button. Confirmation that the initiator

software has started is displayed in the text display box, as can be seen in Figure G-6.

Figure G-5: Start Initiator Tab of Initiator Processing GUI

159

Figure G-6: Message indicating that the Initiator Software has been Started

G.5 Discovering Available Targets

The next step is to discover the available targets to which the initiator can be connected. In order

to do this, the user must select how many targets that they wish to connect to. This is achieved

using the radio selection buttons on the GUI. The IP address(es) for the target(s) must be entered

in the appropriate text boxes. This is shown in Figure G-7. Once this information has been

entered, the user must click the ‘Discover Target(s)’ button. A list of available target storage

nodes is then displayed in the text box, also shown in Figure G-7.

In the example shown in Figure G-7, the user has selected to connect to one target. As can be

seen in the text display, this target machine had two target files to which the initiator can connect

with record numbers of ad7a1f and df5b51.

160

Figure G-7: Target Storage Discovery

G.6 Logging in to Target Storage

Having obtained the target record numbers through the discovery process described in the

previous section, the user can now login to the target(s). This is achieved by entering the

appropriate target record number(s) (df5b51 in this case) into the appropriate text box(es) and

then clicking the ‘Login to Target(s) button (Figure G-8). Once the login has been achieved, a

message is displayed in the text display box as can be seen in Figure G-8.

161

Figure G-8: Login to Target Storage

Having logged into the target storage, it is possible to write/read files to the target storage. In

order to do this, the user must first navigate to the appropriate tab on the initiator GUI, the ‘Write

file to Target(s)’ tab if a file is to be written to the target storage, or the ‘Read file from Target’

tab if a file is to be read from the target storage.

G.7 Writing to Target Storage

The first step in writing a file to target storage is to navigate to the ‘Write file to Target(s)’ tab

(Figure G-9). It is then necessary to specify how many targets the file is to be transferred to. This

is achieved by selecting either the ‘single’ or ‘duplicate’ radio buttons depending on whether the

file is to be transferred to one or two targets.

Next the user must enter the path to the file to be written in the ‘Transfer From’ text box and the

path to the target storage in the ‘Transfer to’ text box. If two targets are being used for storage,

162

the path to the second target storage should be entered in the ‘Secondary Transfer to’ text box.

Once this data has been entered, the ‘Transfer Files’ button should be clicked. The path to the

target storage can be determined by typing ‘fdisk –l’ in a terminal window. In this case, the target

storage path is /dev/sda.

Once the above data has been entered, the write is performed by clicking on the ‘Transfer Files’

button. Once the file has been transferred, a confirmation message is displayed in the text display

area (Figure G-9).

Figure G-9: Writing a File to Target Storage

G.8 Reading from Target Storage

In order to read a file from the target storage, it is first necessary to navigate to the ‘Read file

from Target’ tab (Figure G-10). Then specify the path to the file on the target. This is achieved

163

by entering the path to the file on the target, in this example /dev/sda in the ‘Location of File on

Target’ text box. As with writing a file to a target, this information can be determined by running

the ‘fdisk –l’ command in a terminal window.

It is then necessary to enter the path on the initiator and the file name to which the file is to be

read. This information is entered in the ‘Location on initiator to transfer to’ text box. In this

example the file is being read to /root/test1K_ret.txt.

Once all of the above information has been entered, the ‘Transfer Files’ button should be clicked.

This will execute the read and a message will be displayed in the text display area (Figure G-10)

indicating that the file has been successfully read to the initiator.

G.9 Disconnecting from Target Storage

Once all of the desired writes and/or reads have been carried out, the next step is to logout of the

target. This requires the user to navigate to the ‘Start Initiator’ tab shown in Figure G-8. In order

to logout of the target, the target record number must be entered in the ‘Record number of target

to logout’ text box. Next the user must click the ‘Logout from Target(s) button. A message will

be displayed in the text box indicating that the logout has been successful (Figure G-11). It

should be noted that the GUI only allows you to logout from one target at a time. In order to

logout from two targets this process must be repeated for each target record number.

164

Figure G-10: Reading a File from Target Storage

Figure G-11: Logging Out from Target Storage

165

G.10 Stopping Initiator Software

Once the user has logged out from all targets, the initiator software can be stopped. In order to do

this it is necessary to navigate to the ‘Initiator Status/Stop’ tab. Stopping the initiator software is

then achieved by clicking on the ‘Stop’ button (Figure G-12). A message is displayed in the text

area indicating that the initiator has been successfully stopped.

Figure G-12: Stopping the Initiator Software

G.11 Stopping the Target Software

Once the initiator software has been stopped the target software can also be stopped. In order to

do this it is first necessary to change to the target machine (starget1). The user must then navigate

to the ‘Start/Stop Target’ tab, shown in Figure G-13. Then in order to stop the target, it is

166

necessary to click on the ‘Stop Target’ button. This will stop the target software and a message

confirming this is displayed in the text display box (Figure G-13).

Figure G-13: Stopping the Target Software

G.12 Additional Functionality of the Initiator and Target GUI’s

In addition to the features already described both the initiator and target GUI’s have a number of

additional features.

G.12.1 Additional Target Functionality

There are three additional features available on the target GUI. These are the ability to:

check the current status of the target software,

create a new target storage file,

configure the ietd.conf file for new target storage.

167

Target Status

In order to check the status of the target software, the user must navigate to the ‘Start/Stop

Target’ tab. The current status of the software can be using the ‘Target Status’ button. The status

is then displayed in the text display box. In the case shown in Figure G-14, it can be seen that the

target software is running.

Figure G-14: Checking the Status of the Target Software

Creating a New Target File The first step in creating a new target file requires the user to navigate to the ‘Create Target File’

tab (Figure G-15). In order to create a new target file, the user must provide several pieces of

information. These are the location where the target file should be created, the name of the target

file and also its size in bytes. The desired path (location) to the target file must be entered in the

‘Location for target file’ text box, in the example shown in Figure G-15 this is /tmp/. The name

168

of the new target file must be entered in the ‘Enter name for new target file’ text box and finally

the size of the target file to be created must be entered in the ‘Enter size for new target file in

bytes’ text box.

Once the required information has been entered, the new target file is created by selecting the

‘Create Target’ button. A message indicating the successful creation of the target file is displayed

the text display box, as can be seen in Figure G-15.

Figure G-15: Creation of a New Target File

Configuring the ietd.conf File

Once a new target file has been created it is necessary to add its information to the ietd.conf file

in order that it can be used. In order to do this, the order must navigate to the ‘Configure

169

ietd.conf’ tab (Figure G-16). Then the user must enter the path to the target file in the ‘Directory

containing target file’ text box. The name of the target file must be entered in the ‘Name of target

file’ text box. Once this information has been entered the ‘Add target to configuration file’ button

should be clicked. This results in an entry being added to the ietd.conf file. Confirmation is

displayed in the text display area, as can be seen in Figure G-16.

Figure G-16: Configuration of the ietd.conf File

G.12.2 Additional Initiator Functionality

There are three additional features available with the initiator GUI. These are the ability to:

check the current status of the initiator software,

generating keys for use with the IPsec implementation,

creating database entries using the keys generated.

Initiator Status

170

In order to check the status of the initiator software, the user must navigate to the ‘Initiator

Status/Stop’ tab. The current status of the software can be checked by clicking the ‘Status’ button.

The status is then displayed in the test display box. In the case shown in Figure G-17, it can be

seen that the initiator software is running.

Figure G-17: Checking the Status of the Initiator Software

Generating IPsec Keys

In order to allow secure communications between the initiator and target and vice versa, it is

necessary to use IPsec. This requires that the initiator use shared keys to set up the

communication. The initiator GUI allows these keys to be generated. It is an optional task as the

keys may already have been generated. In order to generate the keys, the user must first navigate

to the ‘Generate Keys’ tab. The user must then select which keys to generate; the options are

‘Source to Target’ and/or ‘Target to Source’. In the example shown in Figure G-18 both ‘Source

171

to Target’ and ‘Target to Source’ were selected. Once the desired options have been selected, the

keys are generated by using the ‘Create Keys’ button. The generated keys are displayed in the

text display box, as can be seen in the figure.

Figure G-18: Generating Keys for use with IPsec

Generating SAD and SPD Entries

Once the IPSec keys have been generated, the SAD and SPD entries can be generated. In order to

create the database entries the user must select the desired check boxes, ‘Create SAD entries’

and/or ‘Create SPD entries’ and enter the source and destination IP addresses. Once this has been

done, the database entries are generated by clicking the ‘Generate Database entries’ key as seen in

Figure G-19. This function creates two files one containing the configuration for the SAD and

SPD entries on the initiator and the other the configuration for the SAD and SPD entries on the

target. In the case of the initiator the configuration file is executed and the database entries are

172

created. In the case of the target configuration file this must be passed to the target and executed

there to create the database entries. The file must be passed in a secure manner. How this is

achieved is not considered in this project.

Figure G-19: Generating SAD and SPD Entries

H. Open-iscsi-2.0-869.2

173

H.1 Installing the initiator software

tar xvf open-iscsi-2.0-869.2.tar.gzcd open-iscsi-2.0-869.2make KSRC=/usr/src/linuxmake KSRC=/usr/src/linux install

The open-iscsi-2.0-869.2 configuration file iscsid.conf used during the testing on the Fedora 8

test bed is included on the DVD accompanying this report. The following entries were changed

in the file:

# Open-iSCSI default configuration.# Could be located at /etc/iscsi/iscsid.conf or ~/.iscsid.conf## Note: To set any of these values for a specific node/session run# the iscsiadm --mode node --op command for the value. See the README# and man page for iscsiadm for details on the --op command.

#*****************# Startup settings#*****************

# To manually startup the session set to "manual". The default is manual.node.startup = manual

#***************# iSCSI settings#***************

# To enable R2T flow control (i.e., the initiator must wait for an R2T# command before sending any data), uncomment the following line:##node.session.iscsi.InitialR2T = Yesnode.session.iscsi.InitialR2T = Yes## To disable R2T flow control (i.e., the initiator has an implied# initial R2T of "FirstBurstLength" at offset 0), uncomment the following line:## The defaults is No.#node.session.iscsi.InitialR2T = No

## To disable immediate data (i.e., the initiator does not send# unsolicited data with the iSCSI command PDU), uncomment the following line:#node.session.iscsi.ImmediateData = Nonode.session.iscsi.ImmediateData = No

174

# To enable immediate data (i.e., the initiator sends unsolicited data# with the iSCSI command packet), uncomment the following line:## The default is Yes#node.session.iscsi.ImmediateData = Yes

H.2 Running the iscsi initiator

In order to run the target software, the following commands should be used. It should be noted

that the target software should be started before the initiator software.

H.2.1 Starting the intiator

cd /etc/init.d./open-iscsi start

H.2.2 Discovering Available Targets

cd /usr/src/ open-iscsi-2.0-869.2/usr./iscsiadm –m discovery –t sendtargets –p 192.168.2.106:3260

Execution of the above command will result in the output of the available targets. On the Fedora

8 test bed this was as follows:

192.168.2.106:3260, 1 iqn.2008-04.com.example:storagedisk2.sys1.xyz

H.2.3 Login to Target

cd /usr/src/ open-iscsi-2.0-869.2/usr./iscsiadm –m node –T iqn.2008-04.com.example:storagedisk2.sys1.xyz –p 192.168.2.106:3260 –login

H.2.4 To logout of the Target

cd /usr/src/ open-iscsi-2.0-869.2/usr

175

./iscsiadm –m node –T iqn.2008-04.com.example:storagedisk2.sys1.xyz –p 192.168.2.106:3260 –logout

H.2.5 Stopping the Initiator

cd /etc/init.d./open-iscsi stop

I. iscsitarget-0.4.16

176

I.1 Installing the target software

tar xvf iscsitarget-0.4.16.tar.gzcd iscsitarget-0.4.16make KSRC=/usr/src/linuxmake KSRC=/usr/src/linux install

The iscsitarget-0.4.16 configuration file ietd.conf used during the testing on the Fedora 8 test bed

is included on the DVD accompanying this report. The following entries were changed in the

file:

# Example iscsi target configuration

# Targets definitions start with "Target" and the target name.# The target name must be a globally unique name, the iSCSI standard defines the "iSCSI# Qualified Name" as follows:## iqn.yyyy-mm.<reversed domain name>[:identifier]## "yyyy-mm" is the date at which the domain is valid and the identifier# is freely selectable. For further details please check the iSCSI spec.

Target iqn.2008-04.com.example:storage.disk2.sys1.xyz

# Logical Unit definition# You must define one logical unit at least.# Block devices, regular files, LVM, and RAID can be offered to the initiators as a block device.Lun 0 Path=/dev/vg/iscsidisk,Type=fileio

# various iSCSI parameters (not all are used right now, see also iSCSI spec for details)#InitialR2T YesInitialR2T Yes#ImmediateData NoImmediateData No#MaxRecvDataSegmentLength 8192MaxRecvDataSegmentLength 1024#DefaultTime2Wait 2DefaultTime2Wait 180#DefaultTime2Retain 20DefaultTime2Retain 180#DataPDUInOrder YesDataPDUInOrder Yes

177

#DataSequenceInOrder YesDataSequenceInOrder Yes

I.2 Running the target

In order to run the target software, the following commands should be used. It should be noted

that the target software should be started before the initiator software.

I.2.1 Starting the target

cd /etc/init.d./iscsi-target start

I.2.2 Stopping the Target

cd /etc/init.d./iscsi-target stop

university of colorado colorado...

Documents