IP SAN备份技术及安全机制的研究
|
摘要
目前,数据存储领域的很多技术还处于研究阶段,从最初的DAS(Direct Attached Storage,DAS)模式发展到现今的网络存储模式,数据存储逐渐成为人们的研究热点。传统的存储结构采用SCSI总线直接将服务器与若干存储设备相连,存储设备被看作是服务器不可分割的一部分,这是一种离散式的存储结构模式。然而,随着分布式计算环境的不断改善,数据需要在更大的范围內实现共享,为多个用户提供高可用性的数据成为存储技术的关键。因此,网络存储技术成为主流。
网络存储技术主要有网络附属存储(Network Attached Storage,NAS)和存储区域网(Storage Area Network,SAN)两种架构,NAS存储模式提供文件级的存储访问,而SAN模式则基于数据块实现存储。显然,相比较而言,SAN技术更具有灵活性和可扩展性。但是,早期SAN大多基于光纤通道(Fibre channel,FC)实现,价格昂贵,多用于高端市场,难以在存储领域普及。随着TCP/IP网络技术的不断发展,人们开始考虑将数据存储基于IP网络实现,IP SAN应运而生,它使得NAS与SAN这两种用于不同领域的存储技术,呈现出融合的趋势。
然而,由于IP SAN发展时间较短,目前在许多关键的技术上还有待研究解决。本文通过对iSCSI协议的分析,设计并实现了一个基于iSCSI协议的IP SAN存储系统,采用零拷贝技术及7CP/IP优化机制,有效地提高了iSCSI协议的效率,进而提升了系统的性能。由于IP SAN存储系统是一个庞大的研究领域,本文着重探讨了备份/恢复技术在IP SAN中的应用,比较了多种不同的备份技术和安全机制,构建了一种新型的完全+累积备份的备份模型,并结合具体的实现.采用磁盘RAID技术实现了虚拟化存储,将相互独立的物理磁盘虚拟成连续的逻辑磁盘,有效地优化了IP SAN备份/恢复系统的性能。同时,基于安全性的考虑,本文进一步分析了IP SAN的安全认证机制,提出了一种IP SAN认证模型,并结合具体的实现,比较了SRP和CHAP两种认证机制的不同,从而很好地解决了如何保证SCSI命令/数据在传输、存储时的安全性问题,尽可能地确保数据的完整性和一致性。
本文通过对IP SAN备份/恢复技术及安全认证机制的深入研究,提出了相应的解决方案,在系统的具体实现中充分地运用了这些方案。通过对系统性能的测试和分析,证明系统可以达到预想的目标。
At present, some technologies in data storage have been researched. From early DAS mode to current network storage mode, the data storage gradually becomes research hotspot. The traditional storage structure directly connect server and storage devices using SCSI BUS, the storage devices are as an indiscerptible segment of server, so it is a discrete storage mode. However, along with improving of distributing compute environment, data must realize share among more range, and providing high useful data for multi-user becomes the key of storage technology. Thus, network storage technology turns into main technology.Network storage technology mostly has two frames: Network Attached Storage (NAS) and Storage Area Network (SAN). NAS mode provides storage access based on file, and SAN mode realizes storage based on data block. Apparently, SAN technology is more flexible and extensible. But early SANs always realize over fibre channel (FC), the price is very costly and the technology is diffcult to prevalence in storage domain. Along with the development of TCP/IP network technology, people consider designing data storage over IP network, then IP SAN emerge as the times require. It should integrate the NAS and SAN technology.Whereas, because the IP SAN is a new domain, so some pivotal technology need farther research and solve. This paper analyses iSCSI protocol, designs and realizes an IP SAN storage system based on iSCSI. Moreover, utilizing zero-copy technology and TCP/IP prtimizing mechanism, the efficiency of iSCSI protocol is effectively advanced, and the capability of system is also improved. IP SAN storage system is vere huge research domain. This paper emphasize backup&recovery technology of IP SAN, compare many different backup technology and security mechanism, and construct a newly full+accumulative backup mode. Through actual realization, this paper realizes virtual storage using RAID technology; undependent physical disks are became consecutive logical disks, and then the performance of IP SAN backup&recovery system is improved. Furthermore, considering the security of system, this paper also analyses the security authentication mechanism of IP SAN, and brings forward an authentication model of IP SAN. Through actual realization, this paper compares the difference between SRP and CHAP authentication mechanism, solves the security issue of SCSI command/data, and can insure the integrality and consistency of data.Through lucubrating the backup&recovery and security authentication technology of IP SAN, this paper puts forward corresponding resolve projects, and applys them in actual realization. By test and analysis of the system, it is proved that the system can achieve expect goal.
网络存储技术主要有网络附属存储(Network Attached Storage,NAS)和存储区域网(Storage Area Network,SAN)两种架构,NAS存储模式提供文件级的存储访问,而SAN模式则基于数据块实现存储。显然,相比较而言,SAN技术更具有灵活性和可扩展性。但是,早期SAN大多基于光纤通道(Fibre channel,FC)实现,价格昂贵,多用于高端市场,难以在存储领域普及。随着TCP/IP网络技术的不断发展,人们开始考虑将数据存储基于IP网络实现,IP SAN应运而生,它使得NAS与SAN这两种用于不同领域的存储技术,呈现出融合的趋势。
然而,由于IP SAN发展时间较短,目前在许多关键的技术上还有待研究解决。本文通过对iSCSI协议的分析,设计并实现了一个基于iSCSI协议的IP SAN存储系统,采用零拷贝技术及7CP/IP优化机制,有效地提高了iSCSI协议的效率,进而提升了系统的性能。由于IP SAN存储系统是一个庞大的研究领域,本文着重探讨了备份/恢复技术在IP SAN中的应用,比较了多种不同的备份技术和安全机制,构建了一种新型的完全+累积备份的备份模型,并结合具体的实现.采用磁盘RAID技术实现了虚拟化存储,将相互独立的物理磁盘虚拟成连续的逻辑磁盘,有效地优化了IP SAN备份/恢复系统的性能。同时,基于安全性的考虑,本文进一步分析了IP SAN的安全认证机制,提出了一种IP SAN认证模型,并结合具体的实现,比较了SRP和CHAP两种认证机制的不同,从而很好地解决了如何保证SCSI命令/数据在传输、存储时的安全性问题,尽可能地确保数据的完整性和一致性。
本文通过对IP SAN备份/恢复技术及安全认证机制的深入研究,提出了相应的解决方案,在系统的具体实现中充分地运用了这些方案。通过对系统性能的测试和分析,证明系统可以达到预想的目标。
At present, some technologies in data storage have been researched. From early DAS mode to current network storage mode, the data storage gradually becomes research hotspot. The traditional storage structure directly connect server and storage devices using SCSI BUS, the storage devices are as an indiscerptible segment of server, so it is a discrete storage mode. However, along with improving of distributing compute environment, data must realize share among more range, and providing high useful data for multi-user becomes the key of storage technology. Thus, network storage technology turns into main technology.Network storage technology mostly has two frames: Network Attached Storage (NAS) and Storage Area Network (SAN). NAS mode provides storage access based on file, and SAN mode realizes storage based on data block. Apparently, SAN technology is more flexible and extensible. But early SANs always realize over fibre channel (FC), the price is very costly and the technology is diffcult to prevalence in storage domain. Along with the development of TCP/IP network technology, people consider designing data storage over IP network, then IP SAN emerge as the times require. It should integrate the NAS and SAN technology.Whereas, because the IP SAN is a new domain, so some pivotal technology need farther research and solve. This paper analyses iSCSI protocol, designs and realizes an IP SAN storage system based on iSCSI. Moreover, utilizing zero-copy technology and TCP/IP prtimizing mechanism, the efficiency of iSCSI protocol is effectively advanced, and the capability of system is also improved. IP SAN storage system is vere huge research domain. This paper emphasize backup&recovery technology of IP SAN, compare many different backup technology and security mechanism, and construct a newly full+accumulative backup mode. Through actual realization, this paper realizes virtual storage using RAID technology; undependent physical disks are became consecutive logical disks, and then the performance of IP SAN backup&recovery system is improved. Furthermore, considering the security of system, this paper also analyses the security authentication mechanism of IP SAN, and brings forward an authentication model of IP SAN. Through actual realization, this paper compares the difference between SRP and CHAP authentication mechanism, solves the security issue of SCSI command/data, and can insure the integrality and consistency of data.Through lucubrating the backup&recovery and security authentication technology of IP SAN, this paper puts forward corresponding resolve projects, and applys them in actual realization. By test and analysis of the system, it is proved that the system can achieve expect goal.
引文
[1] Robert Horst. IP Storage and the CPU Consumption Myth. Network Computing and Applications, 2001. NCA 2001. IEEE International Symposium on, 2001, Page(s): 194 -200.
[2] Gibson, G. A., Nagle, D. E, Courtright, W. et al.. NASD Scalable Storage Systems. Proceeding of USENIX, Linux Workshop, Monterev , 1999.
[3] Vacca, J.. The Essential Guide to Storage Area Networks. Prentice-Hall Inc, 2002.
[4] Scot Mclntrye. Demystifying SAN and NAS. DM Review, June 2000.
[5] Charles Monia, Rod Mullendore, etc.. iFCP - A Protocol for Internet Fibre Channel Storage Networking, http://www.ietf.org/internet-drafts/draft-ietf-ips-ifcp-07.txt.
[6] T. M. Ruwart. Performance characterization of large and long Fibre Channel Arbitrated Loops. 16th IEEE Symposium on Mass Storage Systems, March 1999, Page(s): 11-21,15-18.
[7] Simitci, H., Malakapalli, C, Gunturu,V.: Evaluation of SCSI Over TCP/IP and SCSI Over Fibre Channel Connections. Hot Interconnects 9, 2001, Page(s): 87-91.
[8] Satran, J., Meth, K., Sapuntzakis, C. et al.. Internet Small Computer Systems Interface (iSCSI). http://www.ietf.org/rfc/rfc3720.txt, 2004.
[9] Dan McConnell. IP Storage: a Technology Overview. White Paper of DELL Corp, 2001.
[10] Dave Simpson. Intel ships iSCSI host adapter, http://www.iscsistorage.com/intelhba.htm, Mar 2002.
[11] Anshul Chadda, Robert D. Russell. Design, Implementation, and Performance Analysis of Session Layer Protocols for SCSI over TCP/IP. ftp://ftp.iol.unh.edu/pub/iscsi/trOlO6.pdf, August 2001.
[12] Meth, K. Z., Satran, J.. Features of the iSCSI protocol. Communiations Magazine, IEEE, Vol. 41,2003, Page(s): 72-75.
[13] Meth, K. Z., Satran, J.. Design of the iSCSI protocol. Mass Storage Systems and Technologies, 2003 (MSST 2003). Proceedings. 20th IEEE/1 lth NASA Goddard Conference on, April 2003, Page(s): 116 - 122.
[14] White paper of Cisco. iSCSI Protocol Concepts and Implementation, http://www.cisco.com, September 2001.
[15] Shuang-Yi, T, Ying-Ping, L., Du, D.H.C.: Performance study of software-based iSCSI security. Security in Storage Workshop. Proceedings. First International IEEE, 2002, Page(s): 70-79.
[16] Mark Bakke, Joe Czap, et al.. iSCSI Naming and Discovery. http://www.ietf.org/internet-drafits/draft-ietf- ipsiscsi-name-disc-03.txt. 2001.
[17] Kevin Gibbons, Josh Tseng, Franco Travostino et al.. Internet Storage Name Service (iSNS). http://www.ietf.org/internet-drafts/draft-ietf-ips-isns-22.txt, February 2004.
[18] Mark Bakke, John Huffered, Kaladhar Voruganti et al.. Finding Internet Small Computer Systems Interface (iSCSI) Targets and Name Servers using Service Location Protocol version 2 (SLPv2). http://www.ietf.org/internet-drafts/draft-ietf-ips-iscsi-slp-09.txt, August 2004.
[19] T. Wu. The SRP Authentication and Key Exchange System. ftp://ftp.rfc-editor.org/in-notes/rfc2945.txt, September 2000.
[20] W. Simpson. PPP Challenge Handshake Authentication Protocol (CHAP). ftp://ftp.rfc-editor.org/in-notes/rfcl994.txt, August 1996.
[21] B. Aboba, W. Dixon, et al.. Securing Block Storage Protocols over IP. http://www.ietf.org/internet-drafts/draft-ietf-ips-securitv-14.txt, July 2002.
[22] K. Voruganti, P. Sarkar. An Analysis of Three Gigabit Networking Protocols for Storage Area Networks. IEEE International Conference on Performance, Computing, and Communications, 2001, Page(s): 259-265.
[23] Xubin He. A Caching Strategy to lmprove iSCSI. Proceedings of the 27th Annual IEEE Conference on Local Computer Networks, 2002.
[24] Linux kernel, linux-2.4.24, http://www.kernel.org/pub/linux/kernel/v2.4.
[25] IBM Companies Redbook. Integrated Catalog Facility Backup and Recovery. http://www.ibm.com.
[26] Rowell Hernandez. IP Storage Networking: IBM NAS and iSCSI Solutions. IBM Corporation, International Technical Support Organization, Feb 2002, ISBN 0738424226.
[27] Vijay S. Mookerjee. Policies for data archival in hierarchical storage management. European Journal of Operational Research 138, 2002, Page(s): 413-435.
[28] IBM Companies Redbook. Implementing the Enterprise Storage Server in your Environment. http://www.ibin.com.
[29] Donald Beaver. Network Security and Storage Security Symmetrics and Symmetry-breaking. Proceedings of the First International IEEE Security in Storage Workshop, 2002 (SISW'02).
[30] Sun Storage White Paper. Sun's N I Storage Architecture. http://www.sun.corn/storage/white-papers/nl_data_access.html, 2002.
[31] Jon Tate. Designing an IBM Storage Area Network. IBM Corporation, International Technical Support Organization, May 2000, ISBN 0738416363.
[32] UNH iSCSI Consortium, http://www.ioi.unh.edu/consortiums/iscsi/.
[33] Chang-Soo Kim. Volume management in san environment. IEEE, 2001.
[34] D. Patterson, G. Gibson, R. Katz. A Case for Redundant Array of Inexpensive Disks (RAID). Proceedings of the Conference on Management of Data, 1988, Page(s): 109-116.
[35] Aaron Brown, David A.Patterson. Towards Availability Benchmarks: A Case Study of Software RAID Systems.
[3
[36] S. Kent, R. Atkinson. Security Architecture for the Internet Protocol. ftp://ftp.rfc-editor.org/in-notes/rfc2401.txt, November 1998.
[37] R. Oppliger. Security at the Internet Layer. Computer, Vol. 31, No. 9, Sep. 1998, Page(s): 43-47.
[38] Ashish A. Palekar, Robert D. Russell. Design and Implementation of a SCSI Target for Storage Area Networks. ftp://ftp.iol.unh.edu/pub/iscsi/tr0101.pdf, May 2001.
[39] A. D. Keromytis, J. Ioannidis, J. M. Smith. Implementing IPSec. IEEE GLOBECOM'97, Vol. 3, 1997, Page(s): 1948-1952.
[40] R. Mraz. Secure blue: An Architecture for a Scalable, Reliable High Volume SSL Internet Server. Proceedings 17th Annual Conference on Computer Security Applications, 2001, Page(s): 391-398.
[41] S. Kent, R. Atkins0n. IP Authentication Header. ftp://ftp.rfc-editor.org/in-notes/rfc2402.txt, 1998.
[42] S. Kent, R. Atkinson. IP Encapsulating Security Payload. ftp://ftp.rfc-editor.org/in-notes/rfc2406.txt, 1998.
[43] 谢长生,戴明.IP SAN中安全缓存的设计与实现.计算机工程与科学,Vol 26,No 3,2004,Page(s):1-3,28.
[44] 周敬利,田华元,姜明华.虚拟iSCSI存储通道的设计与实现.华中科技大学学报(自然科学版),Vol 31,No 12,2003.
[45] Moshe Bar.Linux文件系统.清华大学出版社,2003年3月第1版,ISBN-89494-028-3
[2] Gibson, G. A., Nagle, D. E, Courtright, W. et al.. NASD Scalable Storage Systems. Proceeding of USENIX, Linux Workshop, Monterev , 1999.
[3] Vacca, J.. The Essential Guide to Storage Area Networks. Prentice-Hall Inc, 2002.
[4] Scot Mclntrye. Demystifying SAN and NAS. DM Review, June 2000.
[5] Charles Monia, Rod Mullendore, etc.. iFCP - A Protocol for Internet Fibre Channel Storage Networking, http://www.ietf.org/internet-drafts/draft-ietf-ips-ifcp-07.txt.
[6] T. M. Ruwart. Performance characterization of large and long Fibre Channel Arbitrated Loops. 16th IEEE Symposium on Mass Storage Systems, March 1999, Page(s): 11-21,15-18.
[7] Simitci, H., Malakapalli, C, Gunturu,V.: Evaluation of SCSI Over TCP/IP and SCSI Over Fibre Channel Connections. Hot Interconnects 9, 2001, Page(s): 87-91.
[8] Satran, J., Meth, K., Sapuntzakis, C. et al.. Internet Small Computer Systems Interface (iSCSI). http://www.ietf.org/rfc/rfc3720.txt, 2004.
[9] Dan McConnell. IP Storage: a Technology Overview. White Paper of DELL Corp, 2001.
[10] Dave Simpson. Intel ships iSCSI host adapter, http://www.iscsistorage.com/intelhba.htm, Mar 2002.
[11] Anshul Chadda, Robert D. Russell. Design, Implementation, and Performance Analysis of Session Layer Protocols for SCSI over TCP/IP. ftp://ftp.iol.unh.edu/pub/iscsi/trOlO6.pdf, August 2001.
[12] Meth, K. Z., Satran, J.. Features of the iSCSI protocol. Communiations Magazine, IEEE, Vol. 41,2003, Page(s): 72-75.
[13] Meth, K. Z., Satran, J.. Design of the iSCSI protocol. Mass Storage Systems and Technologies, 2003 (MSST 2003). Proceedings. 20th IEEE/1 lth NASA Goddard Conference on, April 2003, Page(s): 116 - 122.
[14] White paper of Cisco. iSCSI Protocol Concepts and Implementation, http://www.cisco.com, September 2001.
[15] Shuang-Yi, T, Ying-Ping, L., Du, D.H.C.: Performance study of software-based iSCSI security. Security in Storage Workshop. Proceedings. First International IEEE, 2002, Page(s): 70-79.
[16] Mark Bakke, Joe Czap, et al.. iSCSI Naming and Discovery. http://www.ietf.org/internet-drafits/draft-ietf- ipsiscsi-name-disc-03.txt. 2001.
[17] Kevin Gibbons, Josh Tseng, Franco Travostino et al.. Internet Storage Name Service (iSNS). http://www.ietf.org/internet-drafts/draft-ietf-ips-isns-22.txt, February 2004.
[18] Mark Bakke, John Huffered, Kaladhar Voruganti et al.. Finding Internet Small Computer Systems Interface (iSCSI) Targets and Name Servers using Service Location Protocol version 2 (SLPv2). http://www.ietf.org/internet-drafts/draft-ietf-ips-iscsi-slp-09.txt, August 2004.
[19] T. Wu. The SRP Authentication and Key Exchange System. ftp://ftp.rfc-editor.org/in-notes/rfc2945.txt, September 2000.
[20] W. Simpson. PPP Challenge Handshake Authentication Protocol (CHAP). ftp://ftp.rfc-editor.org/in-notes/rfcl994.txt, August 1996.
[21] B. Aboba, W. Dixon, et al.. Securing Block Storage Protocols over IP. http://www.ietf.org/internet-drafts/draft-ietf-ips-securitv-14.txt, July 2002.
[22] K. Voruganti, P. Sarkar. An Analysis of Three Gigabit Networking Protocols for Storage Area Networks. IEEE International Conference on Performance, Computing, and Communications, 2001, Page(s): 259-265.
[23] Xubin He. A Caching Strategy to lmprove iSCSI. Proceedings of the 27th Annual IEEE Conference on Local Computer Networks, 2002.
[24] Linux kernel, linux-2.4.24, http://www.kernel.org/pub/linux/kernel/v2.4.
[25] IBM Companies Redbook. Integrated Catalog Facility Backup and Recovery. http://www.ibm.com.
[26] Rowell Hernandez. IP Storage Networking: IBM NAS and iSCSI Solutions. IBM Corporation, International Technical Support Organization, Feb 2002, ISBN 0738424226.
[27] Vijay S. Mookerjee. Policies for data archival in hierarchical storage management. European Journal of Operational Research 138, 2002, Page(s): 413-435.
[28] IBM Companies Redbook. Implementing the Enterprise Storage Server in your Environment. http://www.ibin.com.
[29] Donald Beaver. Network Security and Storage Security Symmetrics and Symmetry-breaking. Proceedings of the First International IEEE Security in Storage Workshop, 2002 (SISW'02).
[30] Sun Storage White Paper. Sun's N I Storage Architecture. http://www.sun.corn/storage/white-papers/nl_data_access.html, 2002.
[31] Jon Tate. Designing an IBM Storage Area Network. IBM Corporation, International Technical Support Organization, May 2000, ISBN 0738416363.
[32] UNH iSCSI Consortium, http://www.ioi.unh.edu/consortiums/iscsi/.
[33] Chang-Soo Kim. Volume management in san environment. IEEE, 2001.
[34] D. Patterson, G. Gibson, R. Katz. A Case for Redundant Array of Inexpensive Disks (RAID). Proceedings of the Conference on Management of Data, 1988, Page(s): 109-116.
[35] Aaron Brown, David A.Patterson. Towards Availability Benchmarks: A Case Study of Software RAID Systems.
[3
[36] S. Kent, R. Atkinson. Security Architecture for the Internet Protocol. ftp://ftp.rfc-editor.org/in-notes/rfc2401.txt, November 1998.
[37] R. Oppliger. Security at the Internet Layer. Computer, Vol. 31, No. 9, Sep. 1998, Page(s): 43-47.
[38] Ashish A. Palekar, Robert D. Russell. Design and Implementation of a SCSI Target for Storage Area Networks. ftp://ftp.iol.unh.edu/pub/iscsi/tr0101.pdf, May 2001.
[39] A. D. Keromytis, J. Ioannidis, J. M. Smith. Implementing IPSec. IEEE GLOBECOM'97, Vol. 3, 1997, Page(s): 1948-1952.
[40] R. Mraz. Secure blue: An Architecture for a Scalable, Reliable High Volume SSL Internet Server. Proceedings 17th Annual Conference on Computer Security Applications, 2001, Page(s): 391-398.
[41] S. Kent, R. Atkins0n. IP Authentication Header. ftp://ftp.rfc-editor.org/in-notes/rfc2402.txt, 1998.
[42] S. Kent, R. Atkinson. IP Encapsulating Security Payload. ftp://ftp.rfc-editor.org/in-notes/rfc2406.txt, 1998.
[43] 谢长生,戴明.IP SAN中安全缓存的设计与实现.计算机工程与科学,Vol 26,No 3,2004,Page(s):1-3,28.
[44] 周敬利,田华元,姜明华.虚拟iSCSI存储通道的设计与实现.华中科技大学学报(自然科学版),Vol 31,No 12,2003.
[45] Moshe Bar.Linux文件系统.清华大学出版社,2003年3月第1版,ISBN-89494-028-3