Getting secure external access to AoE disk volumes

Using MPLS to add routability to Coraid's AoE

Beginner's guide to SSL certificates

Comment ATA over Ethernet (AoE) protocol in the storage environment makes an interesting alternative to iSCSI and Fibre Channel. Although it is not routable, it can be made routable and thereby also independent of Ethernet itself.

AoE is a light, layer 2 protocol integrated with Ethernet frames, which makes it ideal for work inside LAN segments.

Ethernet has the virtue of being simple and easy to maintain with the ability to connect new technologies together. Standardised in June 2010 to work at the speeds of 40GbE and 100GbE (IEEE 802.3ba), Ethernet makes Fibre Channel look really weak.

AoE exploits all of these advantages and employs Ethernet broadcasts for storage discovery. Such broadcasts are naturally terminated at a router, because routers do not forward them. This feature restricts the range of AoE to the local Ethernet segment only. In cluster systems this feature provides security, ensuring that the storage cannot be externally accessed. However, this same feature gives rise to significant difficulties if external access to the AoE storage is, in fact, required (see Fig 1).

AoE network diagram

Fig. 1: Exemplar network topology

When external access is required, an edge router creates tunnels to route AoE traffic along a desired path. However, tunnels open access to the AoE storage, and expose it to the possibility of being attacked and harmed from outside. This drawback brings the biggest threat to the AoE storage infrastructure if it is not properly secured.

Unlike AoE, iSCSI protocol has at least a built-in authentication method which makes for better protected access to the storage. Unfortunately, iSCSI has also has big headers, which are processor-intensive, as is the TCP/IP stack. This makes iSCSI useless as a communications protocol for cluster systems. AoE only has the MAC address locking mechanism, which should actually be enough if we send AoE packets along private VLANs in the cloud and use an MPLS VPN path in the service provider network. Such a method of AoE routing is secure and could be a serious threat to iSCSI.

In research at University College Dublin, we have found that AoE over MPLS provides a routable protocol which can be implemented without a need for tunnels, and with a very modest increase in the header size in comparison with original AoE. As a side benefit, the resulting protocol is no longer restricted to Ethernet, because MPLS runs over whichever mix of networking technologies it faces – including ATM, SDH, Metro Ethernet, etc.

Although the performance of this routable form of AoE is degraded in comparison with its non-routable counterpart, experiments show that this degradation is surprisingly small, just 12 per cent or so, given that the gain, namely routability, is so large. More significantly, the new method also outperforms iSCSI, a protocol which comes at a much greater financial cost. ®


Marek Landowski is a PhD student in Electronic Engineering at University College Dublin, and was born in Starogard Gdanski, Poland in 1983. He received an MEngSc degree in Telecommunication Engineering from Gdansk University of Technology, Poland in 2007. His thesis on "FAN conception of traffic control in IP QoS networks" was researched during an Erasmus scholarship at Escuela Tecnica Superior de Ingenieros de Telecomunicacion, Universidad Politecnica de Valencia, Spain. In January 2008, Marek joined the Circuits and Systems research group at University College Dublin and since then he has been conducting PhD studies in the area of Flow Control in Communication Networks. More details on AoE can be found here (PDF/839KB).

Beginner's guide to SSL certificates

More from The Register

next story
Fat fingered geo-block kept Aussies in the dark
NASA launches new climate model at SC14
75 days of supercomputing later ...
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
You think the CLOUD's insecure? It's BETTER than UK.GOV's DATA CENTRES
We don't even know where some of them ARE – Maude
Trio of XSS turns attackers into admins
Cloud unicorns are extinct so DiData cloud mess was YOUR fault
Applications need to be built to handle TITSUP incidents
BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
Don't worry about that cable, it's part of the config
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story


Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Internet Security Threat Report 2014
An overview and analysis of the year in global threat activity: identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.