Security; Software And Hardware Iscsi Initiators; Bridging And Routing - HP StorageWorks 4000/6000/8000 - Enterprise Virtual Arrays Reference Manual

Maximum size of the data payload
Support for unsolicited data
Time-out values
During iSCSI login, the initiator and target also exchange nonnegotiable values such as names and
aliases.
During an iSCSI session, unique session IDs are created for the initiator and target:
1. An initiator creates a unique ID by combining its iSCSI name with an ISID.
2. During login, the initiator sends the ISID to the target.
3. The target creates a unique ID by combining its iSCSI name with a TSID. The target sends the
TSID to the initiator.
When login is complete, the iSCSI session enters the full-feature phase with normal iSCSI transactions.

Security

Because iSCSI must accommodate untrusted IP environments, the specification for the iSCSI protocol
defines multiple security methods:
Encryption solutions that reside below the iSCSI protocol, such as IPsec, require no special
nl
negotiation between iSCSI end devices and are transparent to the upper layers.
The iSCSI protocol, which has several encryption solutions including:
Kerberos
Public/private key exchanges
Security solutions can include an iSNS server that acts as a repository for public keys.
Text fields mediate the negotiation for the type of security supported by the end devices. If the
negotiation is successful, the devices format their communications to follow the negotiated security
routine.

Software and hardware iSCSI initiators

An IP host can access an iSCSI environment using one of the following initiators:
Software iSCSI initiator—The iSCSI code runs on the host and allows an Ethernet NIC to handle
iSCSI traffic. Software iSCSI offers low cost with a performance penalty and CPU overhead.
Software iSCSI initiators are available from many vendors.
TOE NIC—Shifts processing of the communications protocol stack (TCP/IP) from the server processor
to the NIC, lowering CPU overhead and use.
Hardware iSCSI initiator (iSCSI HBA)—A high-performance HBA integrates both TCP/IP and iSCSI
functions. Although integration adds cost to the HBA, it also provides high-speed iSCSI transport
and minimal CPU overhead. The HBA transfers SCSI commands and data encapsulated by iSCSI
directly to the host.

Bridging and routing

iSCSI routers and bridges are gateway devices that connect storage protocols such as Fibre Channel
or SCSI to IP networks. iSCSI routers and bridges enable block-level access across networks. Routing
data requests from an IP network device to a Fibre Channel device involves these steps:
1. An iSCSI host makes a storage data request.
SAN Design Reference Guide 359