1. Technical Field
The present invention is directed to communications networks. More specifically, the present invention is directed to a method and apparatus for providing security to iSCSI data transaction.
2. Description of Related Art
Data storage is an essential part of any company's infrastructure. Rapidly increasing storage capacities and network speeds challenge storage system performance, whether it is at the enterprise level or below. IP storage addresses the requirements of a range of environments from single server to computer room, Internet data center, campus and WAN (wide area network).
IP storage, known as iSCSI, is a new emerging technology. ISCSI allows requests for data, transmission and reception of data over the Internet. ISCSI lets a corporate network transfer and store SCSI commands and data to any location with access to the WAN or the Internet.
As is well known, SCSI is a commonly used industry standard protocol for storage devices. Using the SCSI protocol, drive control commands and data are sent to the drives. Responses and status messages, as well as data read from the devices, are passed through SCSI controllers. In a system supporting iSCSI, a user or software application issues a command to store or retrieve data on a SCSI storage device. The request is processed by the operating system and is converted to one or more SCSI commands and data request. Both data SCSI commands and request go through encapsulation and, if necessary, encryption procedures. A packet header is added before the resulting IP packets are transmitted over an Ethernet connection. When a packet is received, it is decrypted (if it was encrypted before transmission), and disassembled, separating the SCSI commands and request. The SCSI commands are sent on to the SCSI controller, and from there to the SCSI storage device. Because iSCSI is bi-directional, the protocol can also be used to return data in response to the original request.
An iSCSI session begins with an iSCSI initiator (a client) connecting to an iSCSI target (typically, using TCP) and performing an iSCSI login. The login creates a persistent state between initiator and target, which may include initiator and target authentication, session security certificates, and session option parameters. Once the login is successfully completed, the iSCSI initiator may issue SCSI commands encapsulated by the iSCSI protocol over its TCP connection to be executed by the iSCSI target.
Thus, a login provides an opportunity for an initiator and target to setup an Internet Protocol Security (IPSec) connection in order to transact data over a virtual private network (VPN). However, an iSCSI machine is usually a computer system that has a limited operating system (OS). Having a computer system with a limited OS negotiating and configuring an IPSec connection may not be very effective.
Consequently, what is needed is an apparatus, system and method of having a computer system with a more-complete-OS handle the IPSec connection negotiations with an iSCSI initiator.