The present invention relates to a technique of authentication performed by a storage device connected through a network when a computer accesses the storage device.
A function of authorization is one of functions used for improving security of a storage area network (hereinafter, referred to as a SAN) that employs the fibre channel (hereinafter, referred to as FC). The authorization function is a function used by a storage device to examine an access right of a computer when the computer accesses a resource (for example, a disk) of a storage device, in order to judge whether the computer can access the resource.
LUN (Logical Unit Number) masking is one of the authorization functions. The LUN masking is a technique employed on the side of a storage device to limit computers that are permitted to access logical units (hereinafter, referred to as LU) contained in the storage device so as to prevent illegal reference, alteration and deletion of data (See, for example, Japanese Patent No. 3228182).
On the other hand, iSCSI is attracting attention as a technique for realizing reduction of acquisition costs of a SAN and for making a SAN applicable to a wider area. According to iSCSI, SCSI commands and the like are stored (encapsulated) in transmission frames of TCP packets that are in turn stored in payloads of IP packets, and sent and received through an IP network, to realize I/O processing between a computer and a storage device. A SAN using iSCSI is called an IP-SAN.
As for a storage device (hereinafter, referred to as an iSCSI-capable storage device) that supports iSCSI, it is possible to realize an authorization function that is equivalent to the LUN masking. To that end, the storage device has a table (hereinafter, referred to as an authorization table) for holding correspondence between an iSCSI name of an initiator and an iSCSI name of a target that can be accessed from that initiator. When the storage device receives a login request from an initiator, the storage device extracts iSCSI names of the initiator and the target, and checks the iSCSI names by referring to its authorization table, to judge whether the login should be accepted or not.
Generally, an iSCSI-capable storage device further has an authentication function, in addition to the above-mentioned authorization function. The authentication function is a function to confirm validity of a user of an initiator. A storage device that supports the authentication function has a table (hereinafter, referred to as an authentication table) for holding correspondence between an authentication name and authentication information such as a password. When a storage device receives an authentication request from an initiator after the storage device responds to a login request from the initiator, the storage device extracts an authentication name and authentication information, and checks the authentication name and the authentication information to judge whether the login should be accepted.
Although iSCSI itself is provided with such an authentication function, it is possible to use an authentication function of IKE (Internet Key Exchange), which is one of protocols constituting IPSec.
In the case where the above-mentioned authorization function and authentication function are employed to improve security, an initiator can log in a target only when a storage device judges the login to be permitted as a result of the authorization processing and then as a result of the authentication processing.