You are on page 1of 5

1

Securing iSCSI Storage Solution Using Hashed Pair Mechanism


Author - Madhukar Gunjan C, LSI Technologies India Pvt Ltd., INDIA

Abstract— iSCSI communication traffic is


authenticated through the session
establishment phase of the initiator and
target. Both have to establish an iSCSI
session before the data is accessible.
During this login phase, both
participating parties need to exchange
information to authenticate each other,
negotiate the session's parameters, and
spot the connection as belonging to an
iSCSI session. But this authentication is Mapping SCSI to iSCSI-
still happening at the iSCSI layer and is
still vulnerable to corruption. The
proposed method will further secure the
traffic by adding one more layer of
security at the iSCSI layer and the IP
layer. This will be achieved with the
help of a Hash pair mechanism and a pre-
shared password between the initiator and
target which will generate a digital
signature to be included in the iSCSI PDU
or frame. Also at another level, the IP
layer, we further authenticate the IP
header with the help of a second hash
pair mechanism which gives us the hashed
IP header to prevent security threat.

I.INTRODUCTION OF STORAGE SOLUTION

Transport Layer-
1. Multiplexing , Fragmentation ,
2. Port link Establishment (Default
3260)
3. Flow control Using Sliding Window
Protocol
4. Synchronize Out of order packet and
discarded Packet.
Internet Protocol Layer-
1. Network layer to IP-Based SAN
2. Maintains IP address
3. IP Routers & Switches used to
transfer iSCSI PDU.
Data Link Layer-
1. Gigabit Ethernet (GbE)
iSCSI- An Overview-
iSCSI is a transport protocol for SCSI iSCSI Connection and Session
that operates on top of TCP through establishment-
encapsulation of SCSI commands in a iSCSI Connection:
TCP/IP stream. It enables the transport 1. Verify a TCP connection over which
of I/O Block data over IP Networks. the initiator and target
communicate via iSCSI PDUs.
2. Verify uniquely identified in a
session by an initiator defined
connection ID (CID).

2

3. Verify the response and any data snooper to attack over the IP network and
associated with an iSCSI command perform the following harmful acts:
must be returned on the same 1. Hack the confidential data.
connection. 2. Inject error during data
iSCSI Session: transmission.
1. Verify a set of iSCSI connections 3. Alter the packets containing data
that link an iSCSI initiator and and SCSI command messages.
target. 4. Access passwords from iSCSI login
2. Verify uniquely identified by a 64 frame.
bit Session ID (SID) built from a 5. Reset the Connection and play havoc
48 bit initiator defined Initiator by attacking the security
Session ID (ISID) and a 16 bit negotiation process
target defined Target Session
Identifying Handle (TSIH). Details of Solution-
3. Verify resources of a target (i.e., In iSCSI, a SCSI command is encapsulated
LUNs) must be identical across all in TCP/IP packets and transferred between
connections that make up a session. a server (initiator) and a storage device
4. Verify commands can be alternated (target) via IP networks. Since standard
across all connections in a session SCSI commands are embedded in iSCSI,
for bandwidth aggregation. users can operate a remote storage device
5. Verify error recovery connections directly as if they were accessing to a
can be created on the same network local disk connected to the server. The
portal as a failed connection. frame structure is something like:-

Security at Risk-
The existing solution takes care of
Security Risk at the initial stage to
protect initial login attack. Initial
authentication mechanisms may include a
SRP to validate the integrity of the To start with we require the user to
sessions. So we are least bothered and provide with a password at the
taking care of active attacks on session application level. This password is pre-
authentication, and about active attacks shared between the initiator and the
on the TCP/IP sessions that result after target at the onset only. We would use
the authentication (e.g., TCP/IP this password later to generate a digital
Snooping), Since there is no strong signature at the iSCSI layer. Here we are
protection provided at iSCSI layer and IP going to have the first Hash Value
layer protection available at this stage. function which will use the pre-shared
password and generate a digital signature
which goes into the iSCSI frame. We will
add this piece of information in addition
to the iSCSI Header, the SCSI data or
command in the iSCSI frame.
The hash value function will work in the
following way:-

The diagram shows the various phases of H(input) =h


iSCSI layer authentication. The Where:-Input is the Pre-shared password
authentication is done at the initial which the user specifies,
login phase only. Also currently there is H is the hash function which takes
no authentication happening at the IP a variable size input and returns a
layer level. fixed sized string which is called
the hash value h, which in our case
Disadvantages- would be the digital signature.
In most cases, the data is more important The function would also have an inverse
than performance. After the Full featured which will return the input variable when
Phase, the initiator sends SCSI frames passed the digital signature as an
and the data as payload within the iSCSI argument.
PDU. At this stage it is possible for a H’(h)=input
3

Let us look at this with the following network and is available with all the
diagram- devices in the network. The Address index
table is updated automatically as and
when new devices join or leave the
network.
The table will be something like this:-

Initiator/Host Target/ISCSI Target


IP Port IP
172.28.10.11 10.10.11.12
172.28.11.10 10.10.11.13

Address Index Table

Once the source and destination IP’s are


At this stage we secure the iSCSi session matched, we secure the connection and
establishment with the help of this ensure that no spoofing is happening.
digital signature and the 1st hash value This way we make sure that the source and
function [HVF1]. We would be having a destination IP’s re-generated from the
reverse hash function at the other end hashed function are always valid IP’s and
[target] which will, from the digital are tamper proof. Now this index table
signature, re-generate the pre-shared functionality is something new which
password and authenticate the session. would be present at the IP layer level of
Once the passwords match we establish the all devices. However we would want to
connection. have this table to be administratively
monitored and edited if required.

The following diagrams explain the


concept from the initiator and target
perspective-

Once the iSCSI session is established,


then everything goes as before till we
come to the IP layer. At this stage we
would have a second hash function [Hash From Initiator/Host to ISCSI Target
Value Function 2 or HVF2] which will take
the initiator IP header and feed it into
the function to generate a hashed IP
header. Again at the target side we have
a reverse of the hash function which will
re-generate the Original IP header from
the initiator. Now from the original IP
header we extract the source and
destination IP’s and confirm them with an
address index table present at this
layer. This table is updated with all the
IP’s of the devices that are
participating and are active in the
4

Ethernet
Frame
Received
Yes

Filter
Hashed IP
Header
Yes
Reverse
HVF2+Hashe
d IP
Header =Origi
nal IP Header

Yes

Is Src IP Addr in IP Header=


From ISCSI Target to Initiator/Host initiator IP Addr of Index Table
&& No Discard The
Is Dest IP Addr in IP Header= Frame
Target IP Addr of Index Table

The flow chart of the whole process would


be as per the following diagram:-
Yes

Move frame
to TCP
Layer

Yes

Filter out
iSCSI PDU

Yes

Is Digital Sign included in the


ISCSI PDU + HVF1 = Pre- No Discard The
Shared User Password Frame

Yes

Bona-fide SCSI
Frame. Access to
Storage or Target
Granted

Features:
1. The digital signature feature can
also be used in case of IPV6.
2. The address index table can be
administratively edited to allow or
deny devices participating in the
network.
3. Hash pair functionality can be
implemented either on a dedicated
piece of hardware i.e. offloading
the CPU computation onto a HBA
(Host Bus Adapter) or on Software
initiators and targets i.e. virtual
SCSI adapters.

Advantages:
1. Authentication and Confidentiality
– Ensures that the identities of
both the sender and the receiver of
a communication are authentic
5

before information is exchanged and


keeps important information
confidential, private and within
the control of the owning
organization.
2. Data Integrity – Ensures the data
integrity during transmission. We
can be now sure that data is not
stolen, deleted or maliciously
altered. Thus this mechanism
prevents storage networks from
being compromised.
3. Implementation – The above
described mechanism only requires a
small amount of code addition to
the iSCSI driver and to the NIC/HBA
card driver and will be easy to
implement.

Disadvantages-
1. Since we are not changing the frame
size, some amount of payload data
has to be compromised in order to
accommodate the digital signature.
Usage-
1. This mechanism can be used with
already existing infrastructure and
would be helpful in securing iSCSI
traffic. And the overall solution
would greatly minimize unauthorized
access to data and make the network
more robust.

Terms Used-
NIC – Network Interface Card
HBA – Host Bus Adaptor
PDU – Protocol Data Unit
HVF – Hash Value Function

References

[1] www.ietf.org/rfc/rfc3720.txt
[2]http://research.microsoft.com/users/mi
ronov/papers/hash_survey.pdf

Author's Address-
Madhukar Gunjan C
LSI Technologies India Pvt Ltd.
#4/1,Baneerghatta Road,
Bangalore-560076