1. Field of the Invention
The present invention relates to storage area networks, and more particularly, to a reliable asymmetric method for distributing security information within a Fibre Channel Fabric.
2. Background of the Invention
With the increasing popularity of Internet commerce and network centric computing, businesses and other organizations are becoming more and more reliant on information. To handle all of this data, storage area networks or SANs have become very popular. A SAN typically includes a number of storage devices, a plurality of Hosts, and a number of Switches arranged in a Switching Fabric that connects the storage devices and the Hosts.
Most SANs rely on the Fibre Channel protocol for communication within the Fabric. For a detailed explanation of the Fibre Channel protocol and Fibre Channel Switching Fabrics and Services, see the Fibre Channel Framing and Signaling Standard, Rev 1.70, American National Standard of Accredited Standards Committee (INCITS), Feb. 8, 2002, and the Fibre Channel Switch Fabric—2, Rev. 5.4, INCITS, Jun. 26, 2001, and the Fibre Channel Generic Services—3, Rev. 7.01, INCITS, Nov. 28, 2000, all incorporated by reference herein for all purposes.
In Fibre Channel, each device (Hosts, storage devices and Switches) is identified by an unique eight (8) byte wide Node_Name assigned by the manufacturer. When the Fibre Channel devices are interconnected to form a SAN, the Node_Name (along with other parameters) is used to identify each device. Fibre Channel frames are used for communication among the devices in the SAN. The Node_Name, however, is not used by the frames. Instead the Fibre Channel Port of each end device (Hosts and storage devices) is addressed via a three (3) byte Fibre Channel address (or FC_ID), allocated dynamically to the end devices by the Fabric.
Fibre Channel Fabrics use several kinds of databases replicated among all the Switches, such as the Zoning database. In some cases the information contained in these databases is relatively static, meaning that it changes only by way of an administrative action. An example of such information is the security information needed to maintain and enforce security within the Fabric.
Security information within a Fibre Channel Fabric performs two basic roles, authorization and authentication. Authorization determines which devices in the Fabric can perform which functions. Authentication involves the confirmation that devices connected to the SAN, such as Switches, Hosts and storage devices, are who they claim to be. With the current Fibre Channel standards, security is only partially addressed. Specifications exist to solve the authorization issue, but not to address the authentication issue, although work is on-going in the FC-SP working group of INCITS committee T11 to address this issue. Authorization is managed by organizing the Fibre Channel SAN into zones.
Within each zone, Hosts can see and access only storage devices or other Hosts belonging to that zone. This allows the coexistence on the same SAN of different computing environments. For example, it is possible to define on a SAN a Unix zone and a separate Windows zone. Unix servers belonging to the Unix zone may access only storage or Hosts devices within the Unix zone, and do not interfere with the other devices in other zones connected to the SAN. In the same manner, Windows servers belonging to the Windows zone may access storage or Hosts devices only within the Windows zone, without interfering with the other devices in other zones connected to the SAN. The SAN administrator may define in a SAN multiple zones, as required or dictated by the computing and storage resources connected to it. The Switching Fabric allows communications only between devices belonging to the same zone, preventing a device of one zone from seeing or accessing a device of another zone.
To enforce a zoning definition, each Switch in the Fabric maintains a zone database that lists which Hosts can access which storage devices in the Fabric. The FC-SW-2 standard defines the Switch-to-Switch interactions required to ensure that each Switch has a consistent version of this information.
When two Switches are connected together, the Zone Merge Protocol ensures they have compatible zoning information. In general terms, they exchange their own version of the Zone database, and then each of them verifies that the received information is compatible with the local copy. If the definitions of the zones are compatible, the link between the Switches will be used to route traffic, otherwise that link will be isolated and not used.
To update or change a zone configuration within a Fabric, FC-SW-2 defines the Zone Change Protocol. With this protocol, the Switch that wishes to propagate its zoning configuration over the other Switches of the Fabric is called the “managing Switch”, while the others are called “managed Switches”. The Zone Change Protocol implements a four step process to distribute a zone change across the Switching Fabric. In general terms, the managing Switch locks the other Switches of the Fabric (step 1); propagates the changes across the Fabric to the other Switches (step 2); commits those changes (step 3); and then releases the lock on the Fabric (step 4).
In trying to solve the authentication problem, the same approach has been proposed in the FC-SP working group for maintaining authentication information. As proposed, each entity that wishes to access another entity is required to authenticate itself before obtaining the right to access that entity. Each Switch would be required to maintain a database of authentication information for each Switch, Host or storage device present in the SAN. Depending on the authentication protocol used, this authentication information may be a set of passwords or digital certificates. When two Switches are connected they would have to ensure, with a Merge Protocol, that their authentication information are compatible. When the SAN administrator wishes to change the authentication information in the Fabric, a Change Protocol may be used to perform this operation.
Several problems are associated with the aforementioned process of security information distribution when applied to a large Fabric. Foremost, the security information database, both for authorization (zoning) and authentication, needs to be replicated on each Switch of the Fabric. Both databases contain information relative to the entire SAN. However, each Switch only needs to know the subset of this information relevant to the devices directly attached to it. Furthermore, it has been observed in the field that the zoning database alone may become excessively large in a big Fabric, posing an undue burden on the memory and processing capabilities of the Switches in the Fabric. An authentication database containing the security information required to authenticate potentially each device of a SAN is potentially much larger than an authorization database. As a consequence, using the same approach to handle the authentication information will exacerbate the problem, creating even a greater burden on the memory and processing capabilities of the Switches. Since not all the Switches in the Fabric may have the necessary memory or processing capabilities, it may be more difficult to scale the security information databases across large SANs using the currently defined mechanisms.
Therefore, a reliable asymmetric method for distributing security information within a Fibre Channel Fabric is needed in order to improve the scalability properties of a Fibre Channel SAN.