With the increasing popularity of Internet commerce and network centric computing, businesses and other organizations are becoming more and more reliant on information. To handle all of this data, storage area networks or SANs have become very popular. A SAN typically includes a number of storage devices, a plurality of Hosts, and a number of Switches arranged in a Switching Fabric that connects the storage devices and the Hosts.
Most SANs rely on the Fibre Channel protocol for communication within the Fabric. For a detailed explanation of the Fibre Channel protocol and Fibre Channel Switching Fabrics and Services, see the Fibre Channel Framing and Signaling Standard, Rev 1.90, International Committee for Information Technology Standards (INCITS), Apr. 9, 2003, and the Fibre Channel Switch Fabric—2, Rev. 5.4, INCITS, Jun. 26, 2001, and the Fibre Channel Generic Services—3, Rev. 7.01, INCITS, Nov. 28, 2000, all incorporated by reference herein for all purposes.
Fibre Channel Fabrics use several kinds of databases replicated among all the Switches, such as the Zoning database. In some cases the information contained in these databases is relatively static, meaning that it changes only by way of an administrative action, while in other cases the databases are automatically populated by the Switches, and they may change much more frequently. An example of relatively static information is the information needed to maintain and enforce security within the Fabric. Security information within a Fibre Channel Fabric performs two basic roles, authorization and authentication. Authorization determines which entities in the SAN can perform which functions. Authentication involves the confirmation that entities connected to the SAN, such as Switches, Hosts and storage devices, are who they claim to be.
The Zoning information is part of the Authorization information. Within each zone, Hosts can see and access only storage devices or other Hosts belonging to that zone. This allows the coexistence of different computing environments within the same SAN. For example, it is possible to define within a SAN one or more separate Unix zones and/or Window zones. The Unix servers belonging to a specific Unix zone may access only storage or Hosts entities within that Unix zone and are not permitted to access or interfere with the other entities in other zones connected to the SAN. In the same manner, Windows servers belonging to a particular Windows zone may access storage or Hosts entities only within that Windows zone, without accessing or interfering with the other entities in other zones connected to the SAN. The Switching Fabric allows communications only between entities belonging to the same zone, preventing an entity of one zone from seeing or accessing an entity of another zone.
In an environment with high security requirements, Zoning alone is typically not sufficient. Consequently, in many secure SANs, each entity, Switch or end device, is required to authenticate itself to the Fabric before to be admitted in the SAN (i.e., the requesting entity is required to demonstrate that it is in fact who it claims to be before access is granted). In the same manner, when a first end entity wishes to access a second end entity within a zone, the first entity is required to authenticate itself. This is typically done by following the rules of an Authentication protocol, i.e. by exchanging a set of authentication messages between the two entities. Currently three types of authentication protocols are defined. The DH-CHAP protocol relies on a password to verify the identity of an entity. The SRP protocol relies on a password and a verifier. The FCAP protocol relies on a digital certificate to verify the identity of the entity. For more information on these protocols, please see the Fibre Channel Security Protocols, Rev. 1.1, INCITS, Apr. 17, 2003, incorporated by reference herein.
Regardless of the Authentication protocol used, some form of “secret” is used to authenticate the entities. These secrets are used to construct the Authentication protocol messages exchanged between entities, in a manner dependent by each particular protocol. The resulting messages are usually fairly large, in particular they are usually bigger than 128 bytes.
Within a Fabric, communication may take place between two Hosts or a Host and a storage device (generally referred to as device to device communication), between an end device and the Fabric (device to Fabric communication), or between Switches (Switch to Switch communication). Regardless of the type of communication, one of the aforementioned protocols is used to authenticate the requesting entity.
Switch to Switch control communication occurs through the Switch Internal Link Services (SW_ILSs) which leverages the Fibre Channel Sequence mechanism to carry messages potentially very long, such as a Zone Merge Request. Authentication between Switches is therefore not a problem. SW_ILSs are able to carry authentication messages of any size, regardless of the Authentication protocol used, without problems or modifications.
Device to device or device to Fabric communication, however, occurs through the use of the Extended Link Services (ELSs). Although ELSs are designed in theory to leverage the Fibre Channel Sequence mechanism to carry long messages, in practice a significant amount of the device designs and implementations commercially available on the market are able to support only a very simplified form of ELSs. In particular, these devices do not support the Fibre Channel Sequence mechanism and have a limited buffer space (usually 128 bytes or less) for ELSs. This means that these devices can handle only ELS messages composed of a single FC frame not bigger than 128 bytes and are incapable of handling larger messages. Authentication between devices (Nx_Port to Nx_Port), or between device and Fabric (Nx_Port to Fx_Port) is thus a problem for this kind of devices, since they are not able to carry the long ELS messages potentially required by Authentication protocols. This problem does not affect only the devices with the aforementioned limitation, but affects also the Switches to which they connect, since the Switches need to interoperate with devices having limitations in the ELS implementation, as well as with devices without limitations.
An apparatus and method for encapsulating long messages over the limited Extended Link Services used by certain devices in Fibre Channel Fabrics is therefore needed.