Feeds

Getting secure external access to AoE disk volumes

Using MPLS to add routability to Coraid's AoE

Mobile application security vulnerability report

Comment ATA over Ethernet (AoE) protocol in the storage environment makes an interesting alternative to iSCSI and Fibre Channel. Although it is not routable, it can be made routable and thereby also independent of Ethernet itself.

AoE is a light, layer 2 protocol integrated with Ethernet frames, which makes it ideal for work inside LAN segments.

Ethernet has the virtue of being simple and easy to maintain with the ability to connect new technologies together. Standardised in June 2010 to work at the speeds of 40GbE and 100GbE (IEEE 802.3ba), Ethernet makes Fibre Channel look really weak.

AoE exploits all of these advantages and employs Ethernet broadcasts for storage discovery. Such broadcasts are naturally terminated at a router, because routers do not forward them. This feature restricts the range of AoE to the local Ethernet segment only. In cluster systems this feature provides security, ensuring that the storage cannot be externally accessed. However, this same feature gives rise to significant difficulties if external access to the AoE storage is, in fact, required (see Fig 1).

AoE network diagram

Fig. 1: Exemplar network topology

When external access is required, an edge router creates tunnels to route AoE traffic along a desired path. However, tunnels open access to the AoE storage, and expose it to the possibility of being attacked and harmed from outside. This drawback brings the biggest threat to the AoE storage infrastructure if it is not properly secured.

Unlike AoE, iSCSI protocol has at least a built-in authentication method which makes for better protected access to the storage. Unfortunately, iSCSI has also has big headers, which are processor-intensive, as is the TCP/IP stack. This makes iSCSI useless as a communications protocol for cluster systems. AoE only has the MAC address locking mechanism, which should actually be enough if we send AoE packets along private VLANs in the cloud and use an MPLS VPN path in the service provider network. Such a method of AoE routing is secure and could be a serious threat to iSCSI.

In research at University College Dublin, we have found that AoE over MPLS provides a routable protocol which can be implemented without a need for tunnels, and with a very modest increase in the header size in comparison with original AoE. As a side benefit, the resulting protocol is no longer restricted to Ethernet, because MPLS runs over whichever mix of networking technologies it faces – including ATM, SDH, Metro Ethernet, etc.

Although the performance of this routable form of AoE is degraded in comparison with its non-routable counterpart, experiments show that this degradation is surprisingly small, just 12 per cent or so, given that the gain, namely routability, is so large. More significantly, the new method also outperforms iSCSI, a protocol which comes at a much greater financial cost. ®

Bootnote

Marek Landowski is a PhD student in Electronic Engineering at University College Dublin, and was born in Starogard Gdanski, Poland in 1983. He received an MEngSc degree in Telecommunication Engineering from Gdansk University of Technology, Poland in 2007. His thesis on "FAN conception of traffic control in IP QoS networks" was researched during an Erasmus scholarship at Escuela Tecnica Superior de Ingenieros de Telecomunicacion, Universidad Politecnica de Valencia, Spain. In January 2008, Marek joined the Circuits and Systems research group at University College Dublin and since then he has been conducting PhD studies in the area of Flow Control in Communication Networks. More details on AoE can be found here (PDF/839KB).

Bridging the IT gap between rising business demands and ageing tools

More from The Register

next story
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
FLAPE – the next BIG THING in storage
Find cold data with flash, transmit it from tape
Seagate chances ARM with NAS boxes for the SOHO crowd
There's an Atom-powered offering, too
Gartner: To the right, to the right – biz sync firms who've won in a box to the right...
Magic quadrant: Top marks for, er, completeness of vision, EMC
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.