Apparatus and method for implementing spoofing-and replay-attack-resistant virtual zones on storage area networks
First Claim
Patent Images
1. A storage area network resistant to spoofing attack comprising:
- at least a first compute node having a port and a first storage node having a port;
storage area network interconnect interconnecting the port of the first compute node and the port of the first storage node;
a first hash function generator for providing an authentication code for a frame transmitted over the storage area network from the port of the first compute node;
a first key table for providing a key to the first hash function generator, the authentication code being generated by applying a hash function to the key and to at least a portion of the frame;
a second hash function generator for verifying the authentication code upon receipt at the port of the first storage node; and
a second key table for providing a key to the second hash function generator, the authentication code being verified by applying a hash function to the key and to at least a portion of the frame, the key being selected according to a source identifier of the frame.
5 Assignments
0 Petitions
Accused Products
Abstract
A storage area network resistant to spoofing attack has several nodes each having a port, and storage area network interconnect interconnecting the ports. Each port is provided with a hash function generator for providing and verifying an authentication code for frames transmitted over the storage area network, and a key table for providing a key to the hash function generator. The authentication code is generated by applying a hash function to the key and to at least an address portion of each frame. In each node, the key is selected from that node'"'"'s key table according to address information of the frame.
-
Citations
13 Claims
-
1. A storage area network resistant to spoofing attack comprising:
-
at least a first compute node having a port and a first storage node having a port;
storage area network interconnect interconnecting the port of the first compute node and the port of the first storage node;
a first hash function generator for providing an authentication code for a frame transmitted over the storage area network from the port of the first compute node;
a first key table for providing a key to the first hash function generator, the authentication code being generated by applying a hash function to the key and to at least a portion of the frame;
a second hash function generator for verifying the authentication code upon receipt at the port of the first storage node; and
a second key table for providing a key to the second hash function generator, the authentication code being verified by applying a hash function to the key and to at least a portion of the frame, the key being selected according to a source identifier of the frame. - View Dependent Claims (2, 3, 4, 5, 6)
wherein the storage area network interconnect interconnects the port of the second compute node and the port of the first storage node in addition to interconnecting the port of the first compute node and the port of the first storage node;
wherein the second compute node has a third key table not identical to the first key table, the differences between the first key table and the second key table operative to establish zoning on the network.
-
-
6. The network of claim 5, wherein the first compute node further comprises a clock, and wherein the frame further comprises a transmit time field.
-
7. A node for use in a storage area network comprising:
-
a hash function generator operable to generate an authentication code for a frame capable of transmission on the storage area network;
a key table coupled to provide a key to the hash function generator, the key being a function of at least a destination address of the frame;
a clock coupled to generate a transmission timestamp for the frame;
a port for transmitting the frame; and
wherein the authentication code is a function of at least the transmission timestamp, the key, the destination address of the frame, and a source address of the frame. - View Dependent Claims (8, 9, 10, 11, 12, 13)
wherein the port is capable of receiving a second frame; wherein the key table is capable of selecting a receive key to the hash function generator based upon at least a source address of the second frame, wherein the hash function generator is capable of verifying an authentication code of the second frame based upon at least the receive key, a transmission timestamp, a destination address, and a source address of the second frame.
-
-
10. The node of claim 9, wherein the node is capable of dropping frames upon the hash function generator failing to verify an authentication code.
-
11. The node of claim 9, wherein the receive key is capable of being selected according to a destination process identifier of an association header as well as the source address of the second frame.
-
12. The node of claim 9, wherein the port is capable of rejecting frames that have a timestamp that is outside a window of time relative to previously received frames having identical source identifier fields.
-
13. The node of claim 12, wherein the port is capable of rejecting frames having identical transmit timestamps to previously received frames having identical source identifier fields.
Specification