IPSec for IP storage

If putting storage-area networks on IP is logical, which most agree it is, then it only makes sense to use IP Security to protect those SANs, or so says the Internet Engineering Task Force, to the ire of some storage vendors and the consternation of some users.

The IETF’s Internet Engineering Steering Group (IESG) is mandating IPSec be used in three IP storage protocols: iSCSI, Fibre Channel over IP and Internet Fibre Channel Protocol. “The vulnerability is one of eavesdropping, and that’s why the IESG insisted on the ability to encrypt,” says Scott Bradner, a transport area director of the IETF’s IP Storage Working Group and a Network World columnist.

Vendors that support the IESG decision include Broadcom Corp., IBM Corp., Microsoft Corp., Nishan Systems Inc., Nortel Networks Corp. and Rhapsody Networks Inc. They have created a proposed standard for securing IP block storage protocols. The draft, submitted in February, outlines the requirements for using IPSec with each storage protocol.

But relying on IPSec to solve the IP storage security problem misses the point, says Phil Grasso, founder of Sotera Networks Inc., a start-up developing an IP storage security appliance. While IPSec would secure storage data in transport across an IP network, much as it does for data carried on an IP VPN, it would do nothing to protect data on storage devices. Encryption ciphers such as Triple-DES and Advanced Encryption Standard (AES) are needed for that, he says.

Triple-DES is the best way to secure IP storage because it encrypts data in transit and on storage devices and subsystems, Grasso and executives at fellow storage start-up NeoScale Systems contend. Triple-DES also encrypts today’s Fibre Channel data, and it works with IPSec, they note.

But some storage vendors may be resistant to building IPSec into their products when they have no guarantee that it will be used, says John Webster, founder of Data Mobility Group, a storage market research and analysis firm. Per the draft standard, enterprise storage managers get the option of disabling the security mechanism.

Given the contention surrounding IPSec for IP storage, users might end up having to trade interoperability – or at least standards-compliance – for security.

Users might also face higher prices. Vendors have said that IPSec could triple or quadruple the cost of an iSCSI network interface card or TCP off-load engine, Webster says.

Tripling the cost would kill the IP storage opportunity for many users, says a technical services director for a national pension fund in Alexandria, Va. “Implementing a SAN is an expensive venture as it stands now,” he says.

Vendors and users also fear that embedding IPSec in storage chips could significantly drop performance levels. “Some 1-GHz and 2-GHz processors finally have enough [million instructions per second] to keep up with software-based IPSec on 100M bit/sec media,” says Jesse Walker, a network security architect at Intel and contributor to the proposed IETF IP storage security standard. “The emerging 1G bit/sec media overwhelm existing microprocessors, and higher-rate media will [also].”

But David Black, co-chair of the IETF IP Storage working group, points out that IPSec’s impact will depend on the computational resources available in an IP storage network. The results depend on speed (100M vs. 1G), encryption algorithm (Triple-DES vs. AES), and the hardware platform (PowerPC vs. Pentium).

“There’s no easy, simple answer,” he says.