The present invention relates to a storage area management method for use in a storage area network (hereinafter, “IP-SAN”) for establishing a connection among a plurality of computers and storage systems over the Internet Protocol (IP) network.
For efficient data management in companies and other entities, establishing a Storage Area Network (SAN) is a popular option. A SAN is a network used for establishing a connection among a plurality of storage systems and computers. For data transfer over a SAN, the Fibre Channel Protocol is often used. In the description below, such a SAN is referred to as a FC-SAN.
Another type of SAN, i.e., an IP-SAN, using an iSCSI is recently has received considerable attention. Here, the iSCSI is a protocol used for transmitting and receiving SCSI commands and data over the IP network. The SCSI commands are those conventionally used for communications between computers and storage systems, and data is transferred based on those commands. For details about the iSCSI, refer to “iSCSI” authored by Julian Satran, et al., Jan. 19, 2003, IETF, (www.ietf.org/internet-drafts/draft-ietf-ips-iscsi-20.txt)>. Compared with a FC-SAN, an IP-SAN has an advantage in that any existing LAN (Local Area Network) equipment that is already in use as an infrastructure can be used therewith, for example.
The issue here is that an IP-SAN requires substantial consideration for security. This is because, unlike a FC-SAN, a network used for an IP-SAN may not always be secure enough, e.g., the Internet and an intracorporate LAN. Further, it is common knowledge that attack methods and attack programs have been developed specifically for the IP network.
For maintaining security with a SAN, a possibility is to provide access control between computers and storage systems, or encryption of the communication path. As a technique for realizing access control between computers and storage systems, zoning for partitioning a communication path using switches or fabric and LUN masking (Logical Unit Number masking) for end-to-end access control between ports, have been considered. The LUN masking technique is found in JP-A-2001-265655, for example.
For an IP-SAN, IPSec may be used to encrypt the communications path between computers and storage systems. For details about IPSec, refer to “Security Architecture for IP” authored by Stephen Kent and Randall Arkinson, November 1998, IETF, (www.ietf.org/rfc/rfc2401.txt). IPSec is a technique used for encrypting a communications path using a shared key. With IPSec, the shared key is managed under IKE (Internet Key Exchange), details of which are found in “The Internet Key Exchange (IKE)” authored by Dan Harkins and Dave Carrel, November 1998, IETF, (www.ietf.org/rfc/rfc2409.txt).