IP-Based Storage Networks Change the Rules

 
 

get product quotes click here

 

 
 
 
 

 

IP-Based Storage Networks Change the Rules

July 2003

IP Changes the Rules

BY Neil Roiter

IP-based storage compounds the flexibility, scalability--and, to some extent, the risk--of distributed SANs. High-speed Ethernet (10 Gbps is now available, albeit very expensive) is widely deployed to meet the high bandwidth requirements of IP storage traffic. Thanks to a spate of new protocols, enterprises can create IP SANs in all-Ethernet or mixed Ethernet/Fiber Channel environments.

However, IP storage traffic is vulnerable to the same security risks as traditional IP networks--data theft/modification, peer modification, denial of service, etc. Although it's not mandated in the iSCSI standard, IPSec should be implemented to secure IP storage traffic.

But encryption degrades performance. While this may be acceptable for a VPN, supporting less-demanding IP traffic, it won't meet the performance requirements of IP storage. This is being addressed by high-end processors embedded in the new class of iSCSI-compliant products. QLogic, for example, is marketing a series of chips for iSCSI/IPSec acceleration, as well as iSCSI HBAs powered by powerful processors. NetOctave markets IPSec accelerator boards it says will meet the demands of IP storage traffic.

The broad-based iSCSI protocol embeds SCSI commands into TCP, so it's protocol-agnostic as far as the incoming packet stream is concerned. A number of vendors--including Cisco Systems, IBM and Nishan Systems--have introduced iSCSI products.

The alternative FCIP and iFCP protocols are designed to connect FC storage networks over IP by encapsulating FC in IP packets. FCIP creates a tunnel that simply links FC SANs. iFCP, which is primarily designed to facilitate FC storage over the Internet, maps the FC packets to native IP.

There are some challenges to address--in addition to bandwidth--if you're considering IP storage. Key management can become an even greater headache over a widely distributed, heterogeneous storage network. IPSec authentication and access control must be integrated into your existing authentication infrastructure.

Moreover, mixing protocols is a messy business. From a security perspective, using IP in conjunction with FC introduces new complexities--and risks.

"Transfer over IP opens Pandora's box," says Yankee Group analyst Jamie Gruener. "I think it's a huge problem that a lot of vendors have not adequately prepared for. Customers have to be very cautious until they are assured that the use of IP for storage is safe."