1. Field of Invention
The present invention relates generally to a system for monitoring and filtering frames sent within a network system, and more particularly, to performing actions upon frames based upon individual frame contents.
2. Description of the Related Art
As the result of continuous advances in technology, particularly in the area of networking such as the Internet, there is an increasing demand for communications bandwidth. For example, the transmission of data over a telephone company's trunk lines, the transmission of images or video over the Internet, the transfer of large amounts of data as might be required in transaction processing, or videoconferencing implemented over a public telephone network typically require the high speed transmission of large amounts of data. Such applications create a need for data centers to be able to quickly provide their servers with large amounts of data from data storage. As such data transfer needs become more prevalent, the demand for high bandwidth and large capacity in data storage will only increase.
Efficient data storage and management are becoming increasingly important to business-critical decision-making. This data dependence has greatly increased the number of input and output transactions, or I/Os, required of computer storage systems and servers. As a result, organizations are being forced to dedicate substantial resources to managing and maintaining their storage systems.
Fibre Channel is a transmission protocol that is well-suited to meet this increasing demand, and the Fibre Channel family of standards (developed by the American National Standards Institute (ANSI)) is one example of a standard which defines a high speed communications interface for the transfer of large amounts of data via connections between a variety of hardware devices, including devices such as personal computers, workstations, mainframes, supercomputers, and storage devices. Use of Fibre Channel is proliferating in many applications, particularly client/server applications that demand high bandwidth and low latency I/O. Examples of such applications include mass storage, medical and scientific imaging, multimedia communications, transaction processing, distributed computing and distributed database processing applications.
In one aspect of the Fibre Channel standard, the communication between devices is based on the use of a fabric. The fabric is typically constructed from one or more Fibre Channel switches and each device (or group of devices, for example, in the case of loops) is coupled to the fabric. Devices coupled to the fabric are typically capable of communicating with every other device coupled to the fabric.
Conventional Fibre Channel systems freely pass frames from a source device to a destination device without individualized frame filtering or review. However, there are situations where the ability to freely communicate between all devices on a fabric is not desirable. For example, it may be desirable to screen off certain devices on a fabric in order to perform testing and/or maintenance activities on only those devices, without the risk of interfering with the other devices on the fabric. Devices may need to be segregated according to their operating system or other technical features. Certain devices may wish to receive only frames using a certain protocol. Access to or by certain devices may need to be restricted for security reasons. Additionally, the system may wish to monitor the characteristics of individual frames being sent within the fabric.
Conventional Fibre Channel fabrics do not support the filtering of individual frames from the hardware level. Devices can be prevented from communicating with each other typically only if they are actually physically separated (e.g., coupled to different fabrics). However, this method does not facilitate the ability to examine each frame and make individualized decisions concerning the actions to take for each frame.
In certain fabrics, this segregation, or zoning, can be accomplished by software present in the switches. An example of this operation is provided in U.S. patent application Ser. No. 09/426,567, entitled “Method and System for Creating and Formatting Zones Within a Fibre Channel System” by David Banks, Kumar Malavalli, David Ramsay, and Teow Kha Sin, filed Oct. 22, 1999, which is hereby incorporated by reference. The Simple Name Server present in the switches may provide software zoning, providing only the information on devices that are in the zone during the log in processes of a device. However, software zoning is limited in that the entire fabric is still accessible to a “bad” device which otherwise determines devices present on the fabric. Thus, while software zoning is available, it is not sufficiently secure, and some sort of hardware protection mechanism using frame filtering is still needed.
Certain switches, such as the Silkworm 2800, provided by Brocade Communications, Inc. have limited hardware zoning which is accomplished by limited hardware frame filtering. This is also exemplified in U.S. patent application Ser. No. 09/426,567. When devices on a fabric are initialized, they receive a Worldwide Name (WWN). A portion of this WWN includes details on the domain and switch port to which they are connected. Those certain switches have the capability of monitoring the source and destination domain and port numbers of a packet and can perform zoning or filtering on that information. However, even though this port hardware zoning is a security improvement on the software zoning, it is still very limiting and is inflexible. Additionally, it is not as secure as desired, as any devices within the zone can communicate, so that the fabric must be organized so that devices do not contain material that must be secure from any other devices in the zone. This limits the end user's capabilities for designing their computer system, increasing costs and complexity.
In still other switches, such as the Silkworm 3200, 3800, and 12000 from Brocade, frames are reviewed in hardware against a set of individual frame filters. Each frame filter is associated with an action, and actions selected by filter matches are prioritized. Additional actions may be defined if a frame does not generate a filter match. Filtering actions include, but are not limited to, forwarding the frame, discarding the frame, performing additional processing upon the frame and creating new frame filters based upon the frame contents.
One technical aspect of frame filtering enables groups of devices to be “zoned” together, for example by WWN. At the hardware level, frame filtering of zone groups (used interchangeably with zone group filtering) ensures that restrictions placed upon communications between devices within the same zone are enforced. Zone group filtering is also used to prevent devices not within the same zone from communicating. Zoning accomplished by frame filtering may be further expanded to create LUN-level zones, protocol zones, and access control zones. In addition, individual frame filters may be created that reference selected portions of frame header or frame payload fields for zoning purposes.
Frame filtering is typically performed at or near wire speed. In order to provide for a rapid frame decision-making process, much of the frame filtering process is performed by hardware structures, thereby providing higher levels of security then conventional software zoning techniques and more flexibility and security than just port-based hardware zoning. Additionally, frame filtering in accordance with the present invention can be expanded beyond the limits of the physical hardware structures through the use of virtual frame filtering structures, thereby calling upon the kernel software layer to enable this feature.
While LUN zoning provides better zoning then prior methods, even that zoning level has potential security problems. In many cases each LUN includes a number of partitions or volumes. This is usually done to simplify management of the storage but can also be done to restrict rights in particular partitions. Therefore in many cases it is not desirable to allow a particular host to have access to the entire LUN, but only selected partitions. Thus, it would be desirable for a given situation to be able to further limit a LUN zone to a partition or partitions within a particular LUN. But the prior LUN zoning does not allow this further granularity. Thus it is desirable to provide zoning to within a partition or partitions of a LUN to further improve security.