1 / 34

Efficient Asymmetric Secure iSCSI

Efficient Asymmetric Secure iSCSI . Murthy Andukuri. Outline of the talk. Goals of the project Motivation for the project Current options for security Proposed scheme Three components : iSCSI. IPsec, UML Design and Implementation Results Lessons learnt, Future work, Conclusions. Goals .

lane
Download Presentation

Efficient Asymmetric Secure iSCSI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Efficient Asymmetric Secure iSCSI Murthy Andukuri Murthy SiSCSI

  2. Outline of the talk • Goals of the project • Motivation for the project • Current options for security • Proposed scheme • Three components : iSCSI. IPsec, UML • Design and Implementation • Results • Lessons learnt, Future work, Conclusions Murthy SiSCSI

  3. Goals • A dual-key asymmetric cryptographic enhancement of IPsec to reduce total IPsec processing time and enhance data security for remote storage using iSCSI. • Demonstrate use of virtual test beds running UML to develop networking software. Murthy SiSCSI

  4. Motivation • Remote storage • NAS – Network Attached Storage • Roots in File server • NFS,CIFS • SAN – Storage Area Network • FCIP, iFCP, iSCSI (All SCSI Based) • iSCSI is the Focus of the project - • Smart, inexpensive, No special hardware Murthy SiSCSI

  5. Storage Security Considerations • Importance of storage security • Need for end-to-end security. Possible currently. • Using Applications to secure data can leave gaps. • IPsec provides standardized security • It addresses security in transmission • Available options to achieve storage security as well Murthy SiSCSI

  6. Related Work • RFC 3723 - Securing Block Storage Protocols over IP • Microsoft, Cisco, Intel – all have implementations of iSCSI Initiator and Target. • Available hardware implementations of iSCSI + IPsec combined hardware – Astute Networks – SA1000 SuperHBA for example. Murthy SiSCSI

  7. Choices for data security (Example - ssl) W With IPsec : Multiple encryptions/decryptions Without IPsec : No authentication. Headers insecure. Murthy SiSCSI

  8. The proposed scheme Encrypted Murthy SiSCSI

  9. How SCSI Works 10-byte Command Descriptor Block Tells how many blocks to transfer Tells Where to start transfer Tells How many bytes to transfer Murthy SiSCSI

  10. What exactly is iSCSI • ‘internet’SCSI • SCSI Initiator and Target across IP Network • SCSI CDB delivered in an IP packet Murthy SiSCSI

  11. iSCSI protocol layers Murthy SiSCSI

  12. Why iSCSI • Maximum use of proven technology • TCP ensures delivery , order (mostly) • IP ensures finding/reaching remote hosts • IPsec ensures security in transmission • Works on Ethernet cards and cat-5 cables • Any block device can be presented as SCSI device • Speeds ‘getting’ to be comparable to FC Murthy SiSCSI

  13. How iSCSI works • PDU (Protocol Data Unit) is the basic unit of communication • iSCSI payload is made of PDU header followed by Data. • Several PDU types (called opcodes) based on the source. • Fixed length PDU header Murthy SiSCSI

  14. Data Structure of a PDU header iSCSI Basic Header Segment Murthy SiSCSI

  15. How iSCSI works • Initiator initiates connection (Surprise !) • Discovery • Login • Full Feature phase • Sends commands to Target • Target responds • Logout • Supports multiple connections per session • iSCSI needs to ensure order across connections Murthy SiSCSI

  16. iSCSI packet Exchange Murthy SiSCSI

  17. IPsec • Security integrated into network stack • Secures ALL traffic between hosts • Inherent in IPV6, Supported for IPV4 • Consists of 3 protocols • IKE – For Dynamic Key management • ESP – For Encryption and authentication • AH – Authentication only • Tunnel Mode or Transport mode • Transport mode chosen in the project Murthy SiSCSI

  18. Packet encapsulation combinations in IPsec Murthy SiSCSI

  19. Encryption algorithm used in current project : • AES with a 192 bit key • AES uses 128 bit block size • The Scheme is independent of algorithm. Verified with 3DES (192 bit key, 64 bit block) Authentication algorithm used : Hmac-md5 128 bit key Murthy SiSCSI

  20. How the proposed scheme looks at a packet level Murthy SiSCSI

  21. How the packet is modified for the proposed scheme Encrypted together using IKE-generated key Second, local key and IV to encrypt this portion Length of payload per packet = 1024 Murthy SiSCSI

  22. Implementation logic during ‘Write’ Murthy SiSCSI

  23. Implementation logic during ‘Read’ Murthy SiSCSI

  24. Development test bed setup A file on the Target Virtual machine is Presented as a SCSI disk To the initiator. Murthy SiSCSI

  25. Virtual machines of User Mode Linux • Multiple Virtual machines running on a single host. • Can be built with any kernel source tree with ARCH=um make option. Can be started just like an application. • Multiple instances can share a root file system using Copy-On-Write (COW) layer. • Can optionally access the host file system as hostfs (Helps during development). • Can be networked to the host, to each other and outside world. SKA helps make it almost impossible to hack into the host. Excellent as honeypot. • Can be attached to gdb and stepped-thru like any application. Murthy SiSCSI

  26. Kernel Debugging in User Mode Linux • Debug ‘static’ kernel code by attaching to gdb. • Debugging modules is a (quite) a bit more tricky. • Run the Perl Script in a separate terminal to create a pseudo terminal • Run the ‘Expect’ script in a separate terminal, to setup gdb AND instantiate a ‘screen’ session kicking off UML attached to gdb. • Find above session with ‘screen –ls’. Attach to it with ‘screen –r’. • Add module’s details to gdb with add-symbol-file. Murthy SiSCSI

  27. Expected Savings in IPsec Computational effort Data shown below is for the round trip of 1K of user data Murthy SiSCSI

  28. Performance data with available alternative (on UML test bed) Murthy SiSCSI

  29. Performance data under proposed scheme (on UML test bed) Murthy SiSCSI

  30. Impact of File size on performance Murthy SiSCSI

  31. Lessons Learnt • iSCSI Initiator and Target (Apps and modules) need to built on host machine and installed into UML rootfs. Take care to point to right kernel tree. • UML Kernel support for iscsi_transport needs to be configured as a module and not static. • Debugging modules (Linux and iSCSI) inside UML proved very tricky. • TCP checksum needs to be recomputed in IPSec after segmented encryption on initiator. Also after decryption of data that has been read back. • The payload length is held very dearly by iSCSI layer (Both initiator and target). Trying to tweak the length in IP layer doesn’t work ! Murthy SiSCSI

  32. Future Efforts • Expand to include arbitrary file sizes • Include in an IPsec + iSCSI TOE • User interface, /Proc system based enhancements to improve flexibility, security • Ability to mark packets using netfilter hacks. • Expand IPsec key generation mechanism to include iSCSI • With some modifications, the same scheme can be used to encrypt with application layer SW and NOT Re-encrypt/decrypt at IPsec. Murthy SiSCSI

  33. Conclusions • An asymmetric IPsec protocol enhancement was developed for improving the security and performance of remote online backup systems. • Demonstrated how UML can be used to facilitate kernel/networking software. development. • An invention disclosure was filed with University of Colorado Tech Transfer Office. • A paper to be submitted to ICNP conference. Murthy SiSCSI

  34. Benefits of the scheme • Addresses gaps in storage security, expected to improve performance and eliminate need for multiple tools to provide security. • Cuts hardware costs. CPU/TOE on the Target need not be as fast as those on Initiator. Or can be used to process more requests. • Flexibility – The scheme can be used with any Encryption and Authentication scheme supported by IPsec. • The scheme does not weaken other security measures. • The idea of the scheme probably can be applied to SSL tunneling. Murthy SiSCSI

More Related