Getting secure external access to AoE disk volumes

Comment ATA over Ethernet (AoE) protocol in the storage environment makes an interesting alternative to iSCSI and Fibre Channel. Although it is not routable, it can be made routable and thereby also independent of Ethernet itself.

AoE is a light, layer 2 protocol integrated with Ethernet frames, which makes it ideal for work inside LAN segments.

Ethernet has the virtue of being simple and easy to maintain with the ability to connect new technologies together. Standardised in June 2010 to work at the speeds of 40GbE and 100GbE (IEEE 802.3ba), Ethernet makes Fibre Channel look really weak.

AoE exploits all of these advantages and employs Ethernet broadcasts for storage discovery. Such broadcasts are naturally terminated at a router, because routers do not forward them. This feature restricts the range of AoE to the local Ethernet segment only. In cluster systems this feature provides security, ensuring that the storage cannot be externally accessed. However, this same feature gives rise to significant difficulties if external access to the AoE storage is, in fact, required (see Fig 1).

Fig. 1: Exemplar network topology

When external access is required, an edge router creates tunnels to route AoE traffic along a desired path. However, tunnels open access to the AoE storage, and expose it to the possibility of being attacked and harmed from outside. This drawback brings the biggest threat to the AoE storage infrastructure if it is not properly secured.

Unlike AoE, iSCSI protocol has at least a built-in authentication method which makes for better protected access to the storage. Unfortunately, iSCSI has also has big headers, which are processor-intensive, as is the TCP/IP stack. This makes iSCSI useless as a communications protocol for cluster systems. AoE only has the MAC address locking mechanism, which should actually be enough if we send AoE packets along private VLANs in the cloud and use an MPLS VPN path in the service provider network. Such a method of AoE routing is secure and could be a serious threat to iSCSI.

In research at University College Dublin, we have found that AoE over MPLS provides a routable protocol which can be implemented without a need for tunnels, and with a very modest increase in the header size in comparison with original AoE. As a side benefit, the resulting protocol is no longer restricted to Ethernet, because MPLS runs over whichever mix of networking technologies it faces – including ATM, SDH, Metro Ethernet, etc.

Although the performance of this routable form of AoE is degraded in comparison with its non-routable counterpart, experiments show that this degradation is surprisingly small, just 12 per cent or so, given that the gain, namely routability, is so large. More significantly, the new method also outperforms iSCSI, a protocol which comes at a much greater financial cost. ®

Bootnote

Marek Landowski is a PhD student in Electronic Engineering at University College Dublin, and was born in Starogard Gdanski, Poland in 1983. He received an MEngSc degree in Telecommunication Engineering from Gdansk University of Technology, Poland in 2007. His thesis on "FAN conception of traffic control in IP QoS networks" was researched during an Erasmus scholarship at Escuela Tecnica Superior de Ingenieros de Telecomunicacion, Universidad Politecnica de Valencia, Spain. In January 2008, Marek joined the Circuits and Systems research group at University College Dublin and since then he has been conducting PhD studies in the area of Flow Control in Communication Networks. More details on AoE can be found here (PDF/839KB).