1. Introduction
This specification discusses use of the IPsec protocol suite for
protecting block storage protocols over IP networks (including iSCSI,
iFCP and FCIP), as well as storage discovery protocols (iSNS and
SLPv2).
1.1. iSCSI Overview
iSCSI, described in [RFC3720], is a connection-oriented
command/response protocol that runs over TCP, and is used to access
disk, tape and other devices. iSCSI is a client-server protocol in
which clients (initiators) open connections to servers (targets) and
perform an iSCSI login.
This document uses the SCSI terms initiator and target for clarity
and to avoid the common assumption that clients have considerably
less computational and memory resources than servers; the reverse is
often the case for SCSI, as targets are commonly dedicated devices of
some form.
The iSCSI protocol has a text based negotiation mechanism as part of
its initial (login) procedure. The mechanism is extensible in what
can be negotiated (new text keys and values can be defined) and also
in the number of negotiation rounds (e.g., to accommodate
functionality such as challenge-response authentication).
After a successful login, the iSCSI initiator may issue SCSI commands
for execution by the iSCSI target, which returns a status response
for each command, over the same connection. A single connection is
used for both command/status messages as well as transfer of data
and/or optional command parameters. An iSCSI session may have
multiple connections, but a separate login is performed on each. The
iSCSI session terminates when its last connection is closed.
iSCSI initiators and targets are application layer entities that are
independent of TCP ports and IP addresses. Initiators and targets
have names whose syntax is defined in [RFC3721]. iSCSI sessions
between a given initiator and target are run over one or more TCP
connections between those entities. That is, the login process
establishes an association between an iSCSI Session and the TCP
connection(s) over which iSCSI PDUs will be carried.
While the iSCSI login may include mutual authentication of the iSCSI
endpoints and negotiation of session parameters, iSCSI does not
define its own per-packet authentication, integrity, confidentiality
or replay protection mechanisms. Rather, it relies upon the IPsec
protocol suite to provide per-packet data confidentiality and
integrity and authentication services, with IKE as the key management
protocol. iSCSI uses TCP to provide congestion control, error
detection and error recovery.
1.2. iFCP Overview
iFCP, defined in [iFCP], is a gateway-to-gateway protocol, which
provides transport services to Fibre Channel devices over a TCP/IP
network. iFCP allows interconnection and networking of existing
Fibre Channel devices at wire speeds over an IP network. iFCP
implementations emulate fabric services in order to improve fault
tolerance and scalability by fully leveraging IP technology. Each
TCP connection is used to support storage traffic between a unique
pair of Fibre Channel N_PORTs.
iFCP does not have a native, in-band security mechanism. Rather, it
relies upon the IPsec protocol suite to provide data confidentiality
and authentication services, and IKE as the key management protocol.
iFCP uses TCP to provide congestion control, error detection and
error recovery.
1.3. FCIP Overview
FCIP, defined in [FCIP], is a pure FC encapsulation protocol that
transports FC frames. Current specification work intends this for
interconnection of Fibre Channel switches over TCP/IP networks, but
the protocol is not inherently limited to connecting FC switches.
FCIP differs from iFCP in that no interception or emulation of fabric
services is involved. One or more TCP connections are bound to an
FCIP Link, which is used to realize Inter-Switch Links (ISLs) between
pairs of Fibre Channel entities. FCIP Frame Encapsulation is
described in [RFC3643].
FCIP does not have a native, in-band security mechanism. Rather, it
relies upon the IPsec protocol suite to provide data confidentiality
and authentication services, and IKE as the key management protocol.
FCIP uses TCP to provide congestion control, error detection and
error recovery.
1.4. IPsec Overview
IPsec is a protocol suite which is used to secure communication at
the network layer between two peers. The IPsec protocol suite is
specified within the IP Security Architecture [RFC2401], IKE
[RFC2409][RFC2412], IPsec Authentication Header (AH) [RFC2402] and
IPsec Encapsulating Security Payload (ESP) [RFC2406] documents. IKE
is the key management protocol while AH and ESP are used to protect
IP traffic.
An IPsec SA is a one-way security association, uniquely identified by
the 3-tuple: Security Parameter Index (SPI), protocol (ESP) and
destination IP. The parameters for an IPsec security association are
typically established by a key management protocol. These include
the encapsulation mode, encapsulation type, session keys and SPI
values.
IKE is a two phase negotiation protocol based on the modular exchange
of messages defined by ISAKMP [RFC2408],and the IP Security Domain of
Interpretation (DOI) [RFC2407]. IKE has two phases, and accomplishes
the following functions:
[1] Protected cipher suite and options negotiation - using keyed
MACs and encryption and anti-replay mechanisms
[2] Master key generation - such as via MODP Diffie-Hellman
calculations
[3] Authentication of end-points
[4] IPsec SA management (selector negotiation, options negotiation,
create, delete, and rekeying)
Items 1 through 3 are accomplished in IKE Phase 1, while item 4 is
handled in IKE Phase 2.
An IKE Phase 2 negotiation is performed to establish both an inbound
and an outbound IPsec SA. The traffic to be protected by an IPsec SA
is determined by a selector which has been proposed by the IKE
initiator and accepted by the IKE Responder. In IPsec transport
mode, the IPsec SA selector can be a "filter" or traffic classifier,
defined as the 5-tuple: <Source IP address, Destination IP address,
transport protocol (UDP/SCTP/TCP), Source port, Destination port>.
The successful establishment of a IKE Phase-2 SA results in the
creation of two uni-directional IPsec SAs fully qualified by the
tuple <Protocol (ESP/AH), destination address, SPI>.
The session keys for each IPsec SA are derived from a master key,
typically via a MODP Diffie-Hellman computation. Rekeying of an
existing IPsec SA pair is accomplished by creating two new IPsec SAs,
making them active, and then optionally deleting the older IPsec SA
pair. Typically the new outbound SA is used immediately, and the old
inbound SA is left active to receive packets for some locally defined
time, perhaps 30 seconds or 1 minute.
1.5. Terminology
Fibre Channel
Fibre Channel (FC) is a gigabit speed networking technology
primarily used to implement Storage Area Networks (SANs), although
it also may be used to transport other frames types as well,
including IP. FC is standardized under American National Standard
for Information Systems of the InterNational Committee for
Informational Technology Standards (ANSI-INCITS) in its T11
technical committee.
FCIP
Fibre Channel over IP (FCIP) is a protocol for interconnecting
Fibre Channel islands over IP Networks so as to form a unified SAN
in a single Fibre Channel fabric. The principal FCIP interface
point to the IP Network is the FCIP Entity. The FCIP Link
represents one or more TCP connections that exist between a pair
of FCIP Entities.
HBA
Host Bus Adapter (HBA) is a generic term for a SCSI interface to
other device(s); it's roughly analogous to the term Network
Interface Card (NIC) for a TCP/IP network interface, except that
HBAs generally have on-board SCSI implementations, whereas most
NICs do not implement TCP, UDP, or IP.
iFCP
iFCP is a gateway-to-gateway protocol, which provides Fibre
Channel fabric services to Fibre Channel devices over a TCP/IP
network.
IP block storage protocol
Where used within this document, the term "IP block storage
protocol" applies to all block storage protocols running over IP,
including iSCSI, iFCP and FCIP.
iSCSI
iSCSI is a client-server protocol in which clients (initiators)
open connections to servers (targets).
iSNS
The Internet Storage Name Server (iSNS) protocol provides for
discovery and management of iSCSI and Fibre Channel (FCP) storage
devices. iSNS applications store iSCSI and FC device attributes
and monitor their availability and reachability, providing a
consolidated information repository for an integrated IP block
storage network. iFCP requires iSNS for discovery and management,
while iSCSI may use iSNS for discovery, and FCIP does not use
iSNS.
initiator
The iSCSI initiator connects to the target on well-known TCP port
3260. The iSCSI initiator then issues SCSI commands for execution
by the iSCSI target.
target
The iSCSI target listens on a well-known TCP port for incoming
connections, and returns a status response for each command
issued by the iSCSI initiator, over the same connection.
In this document, the key words "MAY", "MUST, "MUST NOT", "OPTIONAL",
"RECOMMENDED", "SHALL", "SHALL NOT", "SHOULD", and "SHOULD NOT", are
to be interpreted as described in [RFC2119].
Note that requirements specified in this document apply only to use
of IPsec and IKE with IP block storage protocols. Thus, these
requirements do not apply to IPsec implementations in general.
Implementation requirements language should therefore be assumed to
relate to the availability of features for use with IP block storage
security only.
Although the security requirements in this document are already
incorporated into the iSCSI [RFC3720], iFCP [iFCP] and FCIP [FCIP]
standards track documents, they are reproduced here for convenience.
In the event of a discrepancy, the individual protocol standards
track documents take precedence.
