12/12/2008 Summers - SAiSCSI 1 Secure Asymmetric iSCSI For Online Storage Sarah A. Summers.
-
Upload
beverley-mitchell -
Category
Documents
-
view
213 -
download
0
Transcript of 12/12/2008 Summers - SAiSCSI 1 Secure Asymmetric iSCSI For Online Storage Sarah A. Summers.
12/12/2008 2Summers - SAiSCSI
Outline of Presentation
Goals of the Project Overview of SCSI, iSCSI and IPsec Review of Efficient Asymmetric Secure iSCSI Testing of Efficient Asymmetric Secure iSCSI Motivation for Enhancements Proposed Enhancements Results Disaster Recovery Additional Research Lessons Learnt, Future Work, Conclusions
12/12/2008 3Summers - SAiSCSI
Goals
1. Enhance the existing Efficient Asymmetric Secure iSCSI scheme to: Enable the transfer of files of arbitrary size Allow files to be transferred to two target storage
devices for mirroring and backup.
2. Develop and implement a user interface to simplify usage of the scheme
3. Consider the use of the scheme for disaster recovery
SCSI
Application Layer Storage Protocol Standard device interface bus enabling block data
I/O Logically addresses blocks Utilizes a client/server (initiator/target) architecture Data transferred in Command Descriptor Blocks Limitations
Length of SCSI bus limits distance over which SCSI can operate
Limited number of devices can be connected to it
12/12/2008 5Summers - SAiSCSI
iSCSI
End-to-end protocol to enable transportation of storage I/O block data over IP networks Maps SCSI functionality to the TCP/IP protocol SCSI CDBs encapsulated in iSCSI Protocol Data
Units Can be implemented in software and hardware Limitations
No built in security, relies on IPsec
12/12/2008 6Summers - SAiSCSI
IPsec
Extension of the IP protocol that provides security to IP and upper layers of the OSI model Encapsulating Security Protocol (ESP) – provides
confidentiality and optionally authentication Performs 3 basic steps
Header calculation and placement Trailer calculation and placement ESP authentication field calculation and placement
Internet Key Exchange (IKE) Transport Mode
12/12/2008 7Summers - SAiSCSI
sg3_utils
sg3_utils package containing low level utilities for devices using the SCSI command set
Utilizes the sg interface sg_dd is a variant of the dd command – specialized
for block oriented devices that use the SCSI command set
sg_dd if=test.txt of=/dev/sda bpt=1 odir=1 skip=0 seek=0
12/12/2008 8Summers - SAiSCSI
Efficient Asymmetric Secure iSCSI
Utilizes the sg_dd command to achieve the transfer of files between initiator and target
Dual key cryptographic enhancement to IPsec Custom key to encrypt data IKE generated keys to
encrypt headers
12/12/2008 10Summers - SAiSCSI
Limitations of the Existing Scheme User data must be an integer multiple of block size
(1024 bytes) Target Storage File Limitations
Only one file can be stored at a time Pre-set size of target storage file limits the size of the user data
that can be stored sg_dd Utility Limitation
Count and block size values must be specified when issuing the sg_dd command
Reading data from the target using the cp utility results in the entire target file being retrieved
Mounting of a target storage disk is not possible with the existing implementation
12/12/2008 14Summers - SAiSCSI
12/12/2008 15Summers - SAiSCSI
Motivations for Enhancements
Bring existing implementation closer to a complete and usable secure data transfer/storage system
Allow transfer of files of arbitrary size
Allow duplicate transfer of files to second target storage device
Relative complexity of existing scheme in terms of user interaction
Secure Asymmetric iSCSI For Online Storage Enhancements
Enhancements to the sg_dd utility to: Transfer of files of arbitrary size Transfer to two targets
Graphical User Interface Initiator interface Target interface
12/12/2008 17Summers - SAiSCSI
Implementation Logic for Arbitrary File Transfer
Set block_size = 1024
If input_file != target_storage_device
Determine size of file in bytes If ((size % 1024) != 0)
{ while((size_file_in_bytes % 1024) != 0)
{ size++; }
} count = size/1024 create CDB using count value
12/12/2008 18Summers - SAiSCSI
Implementation Logic for File Transfer to Two Targets
Set block_size = 1024
If (second output file == TRUE)
{
Determine device type
Determine number of blocks in second target
create command descriptor block for second target
}
else
set second output file to be /dev/null12/12/2008 19Summers - SAiSCSI
Comparison Data for Transfer of Arbitrary Sized Files
12/12/2008 21Summers - SAiSCSI
1E+02 1E+03 1E+04 1E+05 1E+06 1E+07 1E+08 1E+090.001
0.010
0.100
1.000
10.000
100.000
1000.000
0.011
0.034
0.246
0.958
9.139
93.040
0.002
0.030
0.187
1.357
10.574
105.310
0.00700000000000002
0.132
0.00600000000000001
0.115
0.0250000000000001
0.132
0.911
4.496
44.781
493.966999999999
0.027
0.100
0.766
5.144
49.840
488.995
orig real arb Real orig user arb user orig system arb system
File Size (bytes)
Tim
e (
se
co
nd
s)
Comparison Data for Transfer to Two Targets
12/12/2008 22Summers - SAiSCSI
1E+02 1E+03 1E+04 1E+05 1E+06 1E+07 1E+08 1E+090.001
0.010
0.100
1.000
10.000
100.000
1000.000
0.004
0.062
0.374
2.204
21.148
210.620
0.010
0.034
0.209
1.500
16.242
161.000
0.021
0.266
0.012
0.23
0.031
0.198
1.091
8.608
95.665
941.019
0.054
0.284
1.532
11.360
99.680
977.990
orig real 2 targets real orig user 2 targets user 2 targets system orig system
File Size (bytes)
Tim
e (
se
co
nd
s)
User Interface
12/12/2008 24Summers - SAiSCSI
Developed and implemented using Python and Tkinter Comprised of two components
Initiator Interface Target Interface
Initiator Interface Functionality
Generate IPsec keys
Generate SAD and SPD entries
Start initiator software
Login/Logout to/from the target(s)
Transfer user data to target storage
Retrieve user data from target storage
12/12/2008 26Summers - SAiSCSI
Target Interface Functionality
Create additional target storage file(s)
Configure ietd.conf file for additional target(s)
Generate SAD and SPD entries
Start/stop iscsitarget software
12/12/2008 27Summers - SAiSCSI
Secure Asymmetric iSCSI for Disaster Recovery
HIPPA and SOX require security, privacy and accountability of data
Standard online storage techniques may not be sufficient
Secure Asymmetric iSCSI for online storage may be the solution
Secure storage of Custom key Initiator and custom key can be duplicated Store key with trusted third party
12/12/2008 28Summers - SAiSCSI
Mounting a Target Storage Device
Network Protocol Analyzer (Wireshark) Results Discovery – only iSCSI/SCSI commands issued Login – iSCSI/SCSI Read and PDU but PUSH flag not set Mounting results in the issuing of iSCSI/SCSI Writes and Reads iSCSI/SCSI Writes/Reads interpreted by EASI as file transfers strace of mount command
kernel reads file system information which results in invocation of iSCSI/SCSI commands
12/12/2008 30Summers - SAiSCSI
Using cp to transfer to a Mounted Storage Device
Writing to Target Various iSCSI/SCSI Writes and Data-out PDUs In addition to user payload, file and directory structure of
storage device written
Reading from Target Various iSCSI/SCSI Reads and Writes Plain vanilla TCP packet after first iSCSI/SCSI Read
contains names of directories and files currently on target storage
Unidentified data in some Data-out PDUs
12/12/2008 31Summers - SAiSCSI
Lessons Learnt/Observations
sg_dd uses defaults of stdin for input file and stdout for output file. If no output is required use /dev/null
Linux kernel, open-iscsi and iscsitarget under constant development. Therefore changes to these codes need to be incorporated in
new releases. Wireshark and Ethereal appear to interpret/display
identical log files in a different manner. Retrieving data from target using sg_dd requires count
value to be specified.
12/12/2008 32Summers - SAiSCSI
Future Directions Modify the EASI scheme to use the most current Linux
kernel version, open-iscsi and iscsitarget code.
Re-implement the EASI scheme in a way that mounted target storage disk can be used.
Improve the simplification of the setup and use of the implementation through the development of an API.
Enhance the implementation to utilize a dynamic method, such as ‘racoon’, for establishing security associations between the initiator and target
12/12/2008 33Summers - SAiSCSI
Conclusions Enhancements to the sg_dd utility has enabled:
Simulated transfer of files of arbitrary size Transfer of files to two targets
Graphical user interface simplifies user interaction: Keys for the encryption of the headers has been simplified Interaction with the initiator and target software has been
simplified Writing and reading user data to /from the target has been
simplified Limitations
Arbitrary file transfer still requires user to specify a count value when reading data from target storage
True arbitrary file transfer is not achieved
12/12/2008 34Summers - SAiSCSI
Phases of SCSI I/O Operation
3 main phases: Command
Initiator sends command and parameters to the target in a CDB
Data Data is transferred in accordance with command
issued in CDB Status
Provides confirmation that command executed is received
12/12/2008 37Summers - SAiSCSI
Open-iSCSI
Open source software implementation of iSCSI initiator Kernel Portion
iSCSI data path User Portion
Control path of iSCSI Management facilities
Release used in EASI: open-iscsi-0.4-423 Current Release: open-iscsi-2.0-869.2
12/12/2008 43Summers - SAiSCSI
iscsitarget
Open source software implementation of iSCSI target Kernel Portion User Portion Release used in EASI: iscsitarget-0.4.11 Current Release: iscsitarget-0.4.16
12/12/2008 44Summers - SAiSCSI
Write Processing on the Target
1. Identify iSCSI traffic
2. Identify packets containing user data
3. Decrypt packets not containing user data
4. Process packets containing user data
12/12/2008 46Summers - SAiSCSI
Write Processing on the Target
1. Identify iSCSI traffic
2. Identify packets containing user data
3. Decrypt packets not containing user data
4. Process packets containing user data
12/12/2008 47Summers - SAiSCSI
Read Processing on the Target
1. Identify iSCSI traffic – source port 3260
2. Determine if iSCSI packet contains user data
3. Encrypt packets not containing user data
4. Encrypt packets containing user data
12/12/2008 48Summers - SAiSCSI
Read Processing on the Initiator
1. Identify iSCSI traffic
2. Determine if packet contains user data
3. Decrypt packets containing user data
4. Decrypt packets not containing user data
12/12/2008 49Summers - SAiSCSI