Feeds

Getting secure external access to AoE disk volumes

Using MPLS to add routability to Coraid's AoE

The essential guide to IT transformation

Comment ATA over Ethernet (AoE) protocol in the storage environment makes an interesting alternative to iSCSI and Fibre Channel. Although it is not routable, it can be made routable and thereby also independent of Ethernet itself.

AoE is a light, layer 2 protocol integrated with Ethernet frames, which makes it ideal for work inside LAN segments.

Ethernet has the virtue of being simple and easy to maintain with the ability to connect new technologies together. Standardised in June 2010 to work at the speeds of 40GbE and 100GbE (IEEE 802.3ba), Ethernet makes Fibre Channel look really weak.

AoE exploits all of these advantages and employs Ethernet broadcasts for storage discovery. Such broadcasts are naturally terminated at a router, because routers do not forward them. This feature restricts the range of AoE to the local Ethernet segment only. In cluster systems this feature provides security, ensuring that the storage cannot be externally accessed. However, this same feature gives rise to significant difficulties if external access to the AoE storage is, in fact, required (see Fig 1).

AoE network diagram

Fig. 1: Exemplar network topology

When external access is required, an edge router creates tunnels to route AoE traffic along a desired path. However, tunnels open access to the AoE storage, and expose it to the possibility of being attacked and harmed from outside. This drawback brings the biggest threat to the AoE storage infrastructure if it is not properly secured.

Unlike AoE, iSCSI protocol has at least a built-in authentication method which makes for better protected access to the storage. Unfortunately, iSCSI has also has big headers, which are processor-intensive, as is the TCP/IP stack. This makes iSCSI useless as a communications protocol for cluster systems. AoE only has the MAC address locking mechanism, which should actually be enough if we send AoE packets along private VLANs in the cloud and use an MPLS VPN path in the service provider network. Such a method of AoE routing is secure and could be a serious threat to iSCSI.

In research at University College Dublin, we have found that AoE over MPLS provides a routable protocol which can be implemented without a need for tunnels, and with a very modest increase in the header size in comparison with original AoE. As a side benefit, the resulting protocol is no longer restricted to Ethernet, because MPLS runs over whichever mix of networking technologies it faces – including ATM, SDH, Metro Ethernet, etc.

Although the performance of this routable form of AoE is degraded in comparison with its non-routable counterpart, experiments show that this degradation is surprisingly small, just 12 per cent or so, given that the gain, namely routability, is so large. More significantly, the new method also outperforms iSCSI, a protocol which comes at a much greater financial cost. ®

Bootnote

Marek Landowski is a PhD student in Electronic Engineering at University College Dublin, and was born in Starogard Gdanski, Poland in 1983. He received an MEngSc degree in Telecommunication Engineering from Gdansk University of Technology, Poland in 2007. His thesis on "FAN conception of traffic control in IP QoS networks" was researched during an Erasmus scholarship at Escuela Tecnica Superior de Ingenieros de Telecomunicacion, Universidad Politecnica de Valencia, Spain. In January 2008, Marek joined the Circuits and Systems research group at University College Dublin and since then he has been conducting PhD studies in the area of Flow Control in Communication Networks. More details on AoE can be found here (PDF/839KB).

Boost IT visibility and business value

More from The Register

next story
Pay to play: The hidden cost of software defined everything
Enter credit card details if you want that system you bought to actually be useful
Shoot-em-up: Sony Online Entertainment hit by 'large scale DDoS attack'
Games disrupted as firm struggles to control network
HP busts out new ProLiant Gen9 servers
Think those are cool? Wait till you get a load of our racks
Silicon Valley jolted by magnitude 6.1 quake – its biggest in 25 years
Did the earth move for you at VMworld – oh, OK. It just did. A lot
VMware's high-wire balancing act: EVO might drag us ALL down
Get it right, EMC, or there'll be STORAGE CIVIL WAR. Mark my words
Forrester says it's time to give up on physical storage arrays
The physical/virtual storage tipping point may just have arrived
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.