JP2003158538A - Gateway and access method employing the same - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a gateway that can enhance the security of access to a server and a storage in a SAN (Storage Area Network). SOLUTION: The gateway 1 is connected to an IP network 2 built up by a LAN or a WAN via a VPN, controls data access between the IP network 2 and the SAN 3 where a plurality of storages and servers grouped are interconnected with each other, has a table 4 cross-referencing a VPN customer with a storage group of the SAN 3, and permits access to the storage group of the SAN 3 corresponding to the customer when the customer of the VPN in a packet from the IP network 2 is coincident with the customer in the table 4.

Description

Detailed Description of the Invention

[0001]

TECHNICAL FIELD The present invention relates to a LAN (Local Area).
a Network) or WAN (Wide Area Network) connected to the IP network via VPN, and data between the IP network and SAN (Storage Area Network) connected by grouping multiple storages. The present invention relates to a gateway device that performs access control and an access method using the device.

[0002]

2. Description of the Related Art Conventionally, until around 2000, LANs (WANs) and SANs in Internet data centers were used.
And became a completely unique network, and each was separated. Therefore, in client access via the Internet, a file is accessed from the NIC (Network Interface Card) of the server to the server via the LAN of the data center. Then, when the server receives the file access, the server writes the SAN to the hard disk.
It was accessed via (Fig. 7).

From the latter half of 2000, SAN and LAN (W
The movement to connect (AN) has begun. One is a method of connecting a plurality of SANs separated from each other using LAN and WAN (Fig. 8), and FCIP (Fibre Chanel over) using a fiber channel which is a high-speed serial interface capable of long-distance transmission. A protocol called IP) is under development. The other is storage, LAN, W
Client PC (Personal Computer) connected to AN
A protocol called iSCSI, which is a method (FIG. 9) of directly accessing from SCSI over IP, is under development.

With the advent of iSCSI, as shown in FIG. 10, an iSCSI gateway (also called a Storage Router) for connecting an iSCSI access from a LAN / WAN and a conventional existing SAN has been commercialized. Has been done.

[0005]

Now, let us consider a case where a storage (hard disk: HD) on a data center is accessed by remote access by iSCSI in a network configuration as shown in FIG. In such a network configuration, the storage, which was conventionally on the company's premises, is placed in a shared facility such as a data center, which poses a security problem.

As a countermeasure against this security problem, for example, a method using a password, I of a client PC for which access to a specific storage group is designated in advance is performed.
A method of allowing only a combination of P addresses has been considered.

Here, the storage groups are grouped according to the zoning function of the fiber channel. This zoning function is an effective function when it is desired to restrict access to a specific server and storage in an environment in which different model OSs are mixed in one SAN configuration, or in an environment in which multiple nodes are configured.

Zoning is a technique in which SANs are grouped in units called zones, and are configured as if they were a plurality of SANs. Zones are set by WWN (World Widow) of the fiber channel interface of the server and the fiber channel interface of the storage device.
e Node) or FC (Fibre Channel) switch port number is specified. FIG. 11 shows an example of setting zoning. In the example of FIG. 11, six CPU servers, seven storage devices, and one tape library are ZONE-A, ZONE-B, ZONE-C, and ZON.
It is divided into four zones E-D.

However, the above-mentioned method using a password has a problem of low security because it is a combination of a plurality of numbers and symbols. Further, in the method of permitting access to a specific storage group only to a combination of IP addresses of pre-designated client PCs, a third party allows a client PC set to a designated combination of IP addresses to an original user. There is a problem of lack of security because it can be used after being spoofed.

As described above, the above-mentioned method has a problem in that the security of access to the server and storage in the SAN cannot be sufficiently protected.

Therefore, the present invention has been made in view of the above problems, and when connecting an IP network constructed by LAN / WAN and a SAN, it is possible to improve security of access to a server and storage in the SAN. It is an object of the present invention to provide a gateway device capable of performing the above and an access method using the device.

[0012]

In order to achieve the above object, the invention of claim 1 according to the present invention is connected to an IP network 2 constructed by a LAN or WAN via a VPN, and the IP network and In the gateway device 1 that controls access to data between the SAN 3 to which a plurality of storages and servers are grouped and connected, the gateway device 1 has a table 4 that associates the VPN customers with the SAN storage groups, When the VPN customer in the packet from the network matches the customer in the table, a function is provided for permitting the customer to access the storage group of the SAN.

According to a second aspect of the present invention, in the gateway device according to the first aspect, the VPN is an MPLS-VPN, and the SAN storage group associated with the VPN customer of the IP network in Table 4 is a fiber channel. Zone Name, Infini-Band
It is characterized by being either a partition number or a VID.

The invention of claim 3 is connected to the IP network 2 constructed by LAN or WAN via VPN,
In an access method using a gateway device 1 for controlling access to data between the IP network and a SAN 3 to which a plurality of storages and servers are grouped and connected, a VPN customer in a packet from the IP network. Is the V of the IP network
When the PN customer and the SAN storage group are associated with the customer in Table 4, the access to the SAN storage group corresponding to the customer is permitted.

According to a fourth aspect of the present invention, in the access method using the gateway device according to the third aspect, the VPN is M.
The storage group of the SAN, which is composed of PLS-VPN and is associated with the VPN customer of the IP network in Table 4, is the zone name of the fiber channel, I.
It is characterized by being either a partition number of nfini-Band or a VID.

[0016]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS FIG. 1 shows an MPLS (Multi Protocol Label Switching) including a gateway device according to the present invention.
-A diagram showing an example of a network configuration using VPN technology, Figs. 2A to 2C are diagrams showing an example of a storage mapping table for comparing and collating with a user identification label of a packet, and Fig. 3 is an MPLS frame format. FIG. 4 is a flowchart showing the processing procedure of MPLS-VPN, and FIG. 5 is an L including the gateway device of the present invention.
FIG. 6 is a diagram showing an example of a network configuration using VPN technology based on 2TP (Layer two Tunneling Protocol).
(A), (b) is a figure which shows a L2TP frame format.

The gateway device according to the present invention is a LAN
Controls access to data between an IP network and a SAN that is connected to a group of multiple CPU servers and storage (hard disk: HD) by connecting to an IP network that is built with a LAN or WAN via a VPN. ing.

As shown in FIG. 1 and FIG. 5, the gateway device 1 of the present example uses VPN (Virtual Private Network) technology to control access from the client PC of the IP network 2 to the storage of the SAN 3 and the server. Therefore, an IP network 2 having a LAN / WAN interface and a fiber channel or Infini-Band interface and constructed by LAN / WAN 2
SAN from SCSI command from (client PC)
It has the function of gatewaying to the side.

The gateway device 1 of this example is
By connecting the PN and the grouping of SAN3, the storage group (storage or server) of SAN3 is access-controlled as if it exists in the private network.

Explaining further, the gateway device 1 of this example is configured so that the VPN customer of the IP network 2 and the SA
It has a storage mapping table (hereinafter abbreviated as a table) 4 for associating with the storage group N3. This table 4 is an SA that permits access.
It is composed of information indicating the storage group of N3.

As the storage group, a method of realizing with a list of storages or an identification number to the list of storages, a method of managing with a zone name of a fiber channel, I
There is a method of managing with a partition number of nfini-Band.

Therefore, the table 4 has a Fiber Channel zone name composed of a character string as shown in FIG. 2A and an Infin composed of a numerical example as shown in FIG. 2B.
A partition number of i-Band, a VLAN (Virtual Local Area Neighbor) consisting of a number string as shown in FIG.
twork) -ID (VID) given as any information, and each information (fibre channel zone name, Info
The ni-Band partition number and VID) correspond to each user identification label.

The gateway device 1 of this example uses the VPN in the packet from the client PC of the IP network 2.
When the customer in Table 4 matches the customer in Table 4,
It has a function of permitting access to the storage group of SAN3 corresponding to the customer. This identifies the user to user access and allows access only to authorized storage groups.

In the table 4 shown in FIGS. 2A to 2C, the user identification label and the storage group have a one-to-one correspondence.
It has become. However, the number of storage groups that the user is allowed to access may be 0, 1, or a plurality. For example, one user can access a plurality of storages. FIG. 2D shows an example of the contents of the table 4 when one user accesses two storages. It is also possible for multiple users to access one storage group at the same time.

By the way, although there are various realization methods for the VPN itself, the gateway device 1 of the present example uses the MPL shown in FIG.
It corresponds to the S-VPN and the VPN based on L2TP shown in FIG.

MPLS is a cut-through type packet transfer technique and is a mechanism for realizing connection control on a connectionless network such as an IP network. In this MPLS, an identifier called a user identification label is provided in the IP packet, and the MPLS
The corresponding node manages a plurality of routes on the IP network.

In the network configuration shown in FIG. 1, M
In the PLS-VPN, a user identification label is added to the packet and carried to the gateway device 1 by a method called MPLS label stacking. The MPLS frame format of this packet is as shown in FIG.
L2 (Layer 2) header, MPLS header consisting of packet carrying label and user identification label, IP header, TCP
It is configured to have a header and iSCSI data.

In the gateway device 1 of this example,
The user identification label in the MPLS frame format and the information in its own table (one of the tables shown in FIGS. 2A to 2C) 4 are compared and collated, and the SCSI of the carried packet is targeted for access. It is determined whether or not it can be sent to the storage.

Next, the operation of the gateway device 1 of this example when a packet is carried from the client PC in the network configuration utilizing the MPLS-VPN will be described with reference to FIG.

When a packet is carried from the client PC by MPLS-VPN, the user identification label U is extracted from the packet (ST1). Next, the user identification label U is searched for in its own table (one of the tables shown in FIGS. 2A to 2C) 4 (ST2). Then, it is determined whether or not the user identification label U is in the table 4 (ST3).

If the user identification label U is in the table 4 (ST3-Yes), the storage group is set to the zone name Z.
(ST4). Then, the original packet (iSC
Retrieve SCSI command from (SI data) (ST
5). After that, the SCSI command is transmitted to the storage (target) in the zone Z designated by iSCSI (ST6).

On the other hand, if the user identification label U is not in the table 4 (ST3-No), the original packet (iS
Retrieve SCSI command from CSI data) (ST
7). Then, the SCSI command is transmitted to the storage (target) designated by iSCSI without zone designation (ST8).

Next, the gateway device 1 of this example using the VPN technology by L2TP will be described.

L2TP is a data link layer (PPP: Po).
It is a connection-type tunneling protocol for tunneling the int to Point Protocol to build a VPN for connection between sites (LAN). In this L2TP, LAC (L2TP Access Concentrator) and LNS (L2TP
It defines a procedure for tunneling a PPP session with a network server.

In the network configuration shown in FIG. 5, L
2TP includes an IP header and a UD, as shown in FIG.
P header, L2TP header, PPP (BCP) header,
A format composed of an IP header, a TCP header, and iSCSI data is used. Also, the iSCSI data in FIG. 6A has a format configuration as shown in FIG. 6B. The iSCSI command is
This is the format of the command issued from the host (client PC) to the target (server or storage). The frames in the L2TP environment are exchanged as data on UDP.

In L2TP, an L2TP tunnel (control connection) is established before starting data communication (PPP communication) of a user session. At the time of establishing the L2TP tunnel, it is possible to authenticate the other party so that the unauthorized party does not issue a tunnel establishment request to prevent the unauthorized tunnel from being established.

The establishment of the control connection in L2TP is an L2TP message. (1) SCCRQ (Sta
rt-Control-Connection-Request, connection establishment request), (2) SCCRP (Start-Control-Connection-Re
ply, connection establishment response), (3) SCCCN (Sta
It is performed by exchanging rt-Control-Connection-Connected, connection establishment of a connection, that is, 3-way handshake (exchanging three messages to establish a control connection).

Once the control connection has been established, the user session can be placed on it. The establishment of this user session is
(1) ICRQ (Incoming-Call-Request)
(2) ICRP (Incoming-Call-Reply)
(3) ICCN (Incoming-Call-Connected)
Is done with a 3-way handshake.

When the user session reaches the established state, PPP frames are exchanged on the tunnel.

When disconnecting a specific session in the L2TP tunnel, a CDN (Call-Discon) including the call ID (call ID) of the session to be disconnected is included.
nect-Notify, call disconnect notification) is sent to the other party. CDN
On the receiving side of, the resource used by the session of the specified call ID is released. When releasing the tunnel itself, StopCCN (Stop-Control-Connection-Notificat) including the tunnel ID to be released
ion, control connection end notification) to the tunnel end point.

Since the user name is identified at the time of the first PPP connection in the VPN by L2TP, the gateway device 1 of the present example has a table showing the correspondence between the user name permitted to access and the storage group.

Although not shown, the table is MPLS-
Similar to VPN, it is given by any one of information of a fiber channel zone name consisting of a character string, Infini-Band partition number consisting of a numerical example, and VID consisting of a numerical string, and each information corresponds to each user name. ing.

Then, the gateway device 1 of this example compares the user name identified at the time of the iSCSI access from the client PC with the above-mentioned table, permits the access, and sends the iSCSI command to the target storage. Is controlling.

To further explain, in the case of the network configuration shown in FIG.
Connect to AC (L2TP Access Concentrator) by PPP. P
The PP session is encapsulated in an L2TP frame by the LAC and sent to the gateway device (LNS) 1. A logical L2TP tunnel session is set up between the LAC and the LNS, and encryption is used for security.

When connecting a PPP session, P
AP (Password Authentication Protocol) / CHAP (C
The user name is sent by the hallenge Handshake Authentication Protocol) and reaches the gateway device 1.

The gateway device 1 searches the above-mentioned table for the user name arrived by the PPP session,
Determine if the user name is in the table. Then, if the user name is in the table, the SCSI command is transmitted to the storage (target) in the zone designated by iSCSI. On the other hand, if the user name is not in the table, the SCSI command is sent to the storage (target) specified by iSCSI without zone specification.

As described above, in the gateway device of the present example and the access method using the device, when the VPN customer in the packet from the client PC coincides with the customer in the table, the SAN storage corresponding to the customer is stored. Allows access to the group. As a result, the user is specified for user access, and access is permitted only to the permitted storage group, so that security for storage can be protected. Moreover, you can use the private address as it is. Furthermore, when applied to a network configuration using MPLS-VPN, even if the private address is used as it is, data access control can be performed without performing processing such as encryption / decryption and saving the processing time. You can

[0048]

As is apparent from the above description, according to the present invention, there is a table in which VPN customers and SAN storage groups are associated with each other, and the VPN customers in the packet from the client are the table customers. When a match is found, access to the storage group of the SAN corresponding to that customer is permitted, so LAN /
When connecting the WAN and the SAN, it is possible to sufficiently secure the security of access to the server and storage in the SAN. Moreover, the private address can be used as it is. Also, MPLS-V
In the network configuration using PN, even if the private address is used as it is, data access control can be performed without performing processing such as encryption / decryption.

[Brief description of drawings]

FIG. 1 is an MPLS including a gateway device according to the present invention.
-A diagram showing an example of a network configuration using VPN technology

2A to 2D are diagrams showing an example of a storage mapping table for comparing and collating with a user identification label of a packet.

FIG. 3 is a diagram showing an MPLS frame format.

FIG. 4 is a flowchart showing a processing procedure of MPLS-VPN.

FIG. 5 is a diagram showing an example of a network configuration using a VPN technology by L2TP including a gateway device of the present invention.

6A and 6B are diagrams showing an L2TP frame format.

FIG. 7 is a schematic diagram of data access in a network configuration in which a LAN (WAN) and a SAN are separated.

FIG. 8 LAN (WAN) and SAN based on the FCIP method
Schematic showing the connection configuration of

FIG. 9 LAN (WAN) and SA based on the iSCSI method
Schematic diagram showing N connection configuration

FIG. 10 is a schematic diagram of a network configuration for connecting an iSCSI access from a LAN (WAN) and an existing SAN.

FIG. 11 SANs grouped by zoning
Figure showing an example

[Explanation of symbols]

1 ... Gateway device, 2 ... IP network, 3 ... S
AN, 4 ... table, HD ... hard disk (storage).

Claims (4)

[Claims] 1. A LAN (3), which is connected to an IP network (2) constructed by LAN or WAN via VPN, and the IP network is connected to a plurality of storages or servers grouped together. In a gateway device (1) for controlling access to data of the above, a table (4) for associating a customer of the VPN with a storage group of the SAN is provided, and a customer of the VPN in a packet from the IP network is A gateway device having a function of permitting access to a storage group of a SAN corresponding to a customer when the customer coincides with the customer. 2. The VPN is an MPLS-VPN, and the SAN storage group associated with the VPN customer of the IP network in the table (4) is a fiber channel zone name, Infini-Ba.
The gateway device according to claim 1, wherein the gateway device is one of an ND partition number and a VID. 3. An IP network (2) constructed by a LAN or WAN is connected via a VPN, and between the IP network and a SAN (3) to which a plurality of storages and servers are grouped and connected. In the access method using the gateway device (1) for controlling the access to the data, the VPN customer in the packet from the IP network is the VPN customer of the IP network and the S customer.
An access method using a gateway device, which allows access to a SAN storage group corresponding to a customer when the customer matches a customer in a table (4) associating with the AN storage group. 4. The VPN comprises an MPLS-VPN, and the SAN storage group associated with the VPN customer of the IP network in the table (4) is a fiber channel zone name, Infini-Ba.
An access method using a gateway device, characterized in that it is either an ND partition number or VID.