The present invention relates to communication between a host computer and a storage subsystem. In particular, it relates to a filtering technology and a communication cut off technology in communication at the time of an access from the host computer to a logical unit in the storage subsystem.
In a storage system in which one or more host computers and one or more storage subsystems were connected by a network, there is a security technology which prevents an unauthorized access on the occasion of accessing from a host computer to a logical unit LU (Logical Unit) in a storage subsystem.
As an example, in an environment where an accessible logical unit is restricted with respect to each host computer, cut off of a unauthorized access is realized by having a filtering function in a storage subsystem, which judges right and wrong of an access of received information by information regarding a host computer as a source.
For example, a storage system which is disclosed in Japanese Patent Laid-Open Publication No. 2000-265655 (hereinafter, referred to as Patent Document 1) comprises, on a nonvolatile memory in a storage subsystem, in addition to a LUN access management table which manages a WWN (World Wide Name) as information which uniquely identifies a host computer, a LUN (logical Unit Number) as a number of a logical unit in a storage subsystem which permitted an access from the host computer, and a virtual LUN as a number of a virtual LU that a user or an operating system on the host computer arbitrarily assigned in parallel with the LUN, by associating them one another. In such communication that the host computer accesses to the storage subsystem, the storage system further comprises a WWN-S-ID management table which manages a S-ID (Source ID) as a management number which is dynamically assigned at the time of log-in and which is always constant during the host computer is in operation, and the WWN of the host computer, by associating them each other.
In the storage system disclosed in Patent Document 1, with reference to these two management tables, right and wrong of an access to a logical unit is judged at the time point of generation of an inquiry command at the time of log-in. After that, there is no necessity to repeat this judgment. On this account, it is possible to limit right and wrong of an access with each of a logical unit, over maintaining and operating a storage subsystem with high performance, which realizes strong security.
In this regard, however, the storage system disclosed in Patent Document 1 is a system which was built up by a dedicated network, such as a SAN (Storage Area Network) in which a host computer and a storage subsystem are connected to be networked by using a dedicated interface called as Fiber Channel (FC). Therefore, it is a premise that only a SCSI command, which is a command set for an access from a host computer to a storage subsystem, is transmitted to a storage subsystem.
On the other hand, in these years, a standard specification of iSCSI, which is a protocol for transmitting and receiving a SCSI command on an IP network, has been studied by a standards body, IETF.
In an iSCSI, transmission and reception of a command are carried out, by storing (encapsulating) an SCSI command etc. in a transfer frame of a TCP packet which is stored in a payload of an IP packet and by streaming it on an IP network, which realizes an I/O process between a host computer and a storage subsystem.
By using an iSCSI, it is possible to connect not only a host computer but also a storage subsystem directly to an IP network. A hub, a router, a switch type etc. which have been used in an IP network conventionally and configure a network can be used without change.
Therefore, by using an IP network, it is possible to easily respond to widening of a storage subsystem access which was difficult to be realized from such technical aspects as cost aspect and communication distance limit. It is also possible to apply a matured IP network management technology without change, so that simplification of management can be expected.