Creating virtual private connections between end points across a SAN

US 6,845,387 B1
Filed: 04/07/2000
Issued: 01/18/2005
Est. Priority Date: 04/07/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for creating virtual private connections between end points in a shared storage area network (SAN), the method comprising:

providing a virtual connection architecture for a host initiator operatively connected thereto, the virtual connection architecture having a virtual connection manager and a virtual connection cache, the virtual connection cache having a list of existing and previously established virtual connections, wherein an existing virtual connection is indicated between a specific host initiator and a specific target storage device, or a specific logical portion thereof, to provide a one-to-one relationship between a host initiator and a target storage device, or a logical portion thereof, for each virtual connection in the virtual connection cache, the host initiator generating and transmitting I/O commands to the virtual connection manager of the virtual connection architecture;

determining from the virtual connection cache whether a previously established virtual connection exists between the source and destination; and

when the previously established virtual connection does not exist in the virtual connection cache, then comparing, by the virtual connection manager, source and destination information from the I/O commands to a predetermined list of allowable connections; and

when the source and destination information matches the predetermined list of allowable connections, creating a data connection between the host initiator and the storage device, or a logical portion thereof, operatively connected to the virtual connection architecture, thereby establishing a virtual private SAN;

but when the virtual connection exists, using a virtual private SAN indicated by the previously established virtual connection in the virtual connection cache without again determining whether the data connection between the host initiator and the storage device indicated by the destination information is allowable.

View all claims

19 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is disclosed a method and architecture for establishing independent, secure, trusted sub-networks within a storage area network (SAN). These virtual private SANs allow secure, managed interconnections between an initiator host and a target storage device or a logical unit number (LUN) indicating a sub-portion of a target storage device. A table of allowable configurations along with a connections database are used to ensure proper, allowable data connections.

70 Citations

View as Search Results

26 Claims

1. A method for creating virtual private connections between end points in a shared storage area network (SAN), the method comprising:
- providing a virtual connection architecture for a host initiator operatively connected thereto, the virtual connection architecture having a virtual connection manager and a virtual connection cache, the virtual connection cache having a list of existing and previously established virtual connections, wherein an existing virtual connection is indicated between a specific host initiator and a specific target storage device, or a specific logical portion thereof, to provide a one-to-one relationship between a host initiator and a target storage device, or a logical portion thereof, for each virtual connection in the virtual connection cache, the host initiator generating and transmitting I/O commands to the virtual connection manager of the virtual connection architecture;
  
  determining from the virtual connection cache whether a previously established virtual connection exists between the source and destination; and
  
  when the previously established virtual connection does not exist in the virtual connection cache, then comparing, by the virtual connection manager, source and destination information from the I/O commands to a predetermined list of allowable connections; and
  
  when the source and destination information matches the predetermined list of allowable connections, creating a data connection between the host initiator and the storage device, or a logical portion thereof, operatively connected to the virtual connection architecture, thereby establishing a virtual private SAN;
  
  but when the virtual connection exists, using a virtual private SAN indicated by the previously established virtual connection in the virtual connection cache without again determining whether the data connection between the host initiator and the storage device indicated by the destination information is allowable.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method for creating virtual private connections between end points in a shared SAN as recited in claim 1, wherein multiple virtual private SANs function independently and substantially simultaneously within the shared SAN.
  - 3. The method for creating virtual private connections between end points in a shared SAN as recited in claim 2, wherein multiple host initiators share a common physical data channel.
  - 4. The method for creating virtual private connections between end points in a shared SAN as recited in claim 3, wherein the multiple host initiators are provided a protected end-to-end data path.
  - 5. The method for creating virtual private connections between end points in a shared SAN as recited in claim 2, wherein the multiple, virtual private SANs support at least one SAN connectivity product from the group:
    - hubs, switches, gateways and routers.
  - 6. The method for creating virtual private connections between end points in a shared SAN as recited in claim 2, wherein the comparing comprises determining a level of access permission for said host initiator.
  - 7. The method for creating virtual private connections between end points in a shared SAN as recited in claim 6 further comprising storing information representative of at least one of the allowable connections.
  - 8. The method for creating virtual private connections between end points in a shared SAN as recited in claim 7, wherein the storing comprises storing the information in a virtual connection cache.
  - 9. The method for creating virtual private connections between end points in a shared SAN as recited in claim 8 further comprising using the information stored in the virtual connection cache to validate subsequent requests for access from the host initiator.
  - 10. The method for creating virtual private connections between end points in a shared SAN as recited in claim 2, wherein the multiple virtual private SANs are operable within an existing SAN without need for additional software, middleware, drivers, or modifications to an existing operating system.
  - 11. The method for creating virtual private connections between end points in a shared SAN as recited in claim 2, wherein the virtual private connections are fully secured independently of the security of each individual host.
  - 12. The method for creating virtual private connections between end points in a shared SAN as recited in claim 2, wherein the multiple virtual private SANs operate independently of attached storage devices.
  - 13. The method for creating virtual private connections between end points in a shared SAN as recited in claim 12, wherein the attached storage devices comprise any mixture of legacy or new technology storage devices.
  - 14. The method for creating virtual private connections between end points in a shared SAN as recited in claim 2, wherein the multiple virtual private SANs operate independently of connection interfaces and provide support for at least one from the group of interfaces:
    - Fibre Channel, SCSI, other SAN interfaces.
  - 15. The method for creating virtual private connections between end points in a shared SAN as recited in claim 2, wherein the host initiator comprises a host initiator interface for providing a connection to the virtual connection architecture.
  - 16. The method for creating virtual private connections between end points in a shared SAN as recited in claim 6 further comprising providing a registration engine for receiving a registration command from the host initiator.
  - 17. The method for creating virtual private connections between end points in a shared SAN as recited in claim 16, wherein the registration command comprises at least one of the commands from the group:
    - full registration, periodic registration, and de-registration commands.
  - 18. The method for creating virtual private connections between end points in a shared SAN as recited in claim 17, wherein the registration engine comprises a host registration service operating on the host initiator.
  - 19. The method for creating virtual private connections between end points in a shared SAN as recited in claim 17, wherein the registration command comprises host and initiator specific information for facilitating automatic identification and configuration of the host and interface.
  - 20. The method for creating virtual private connections between end points in a shared SAN as recited in claim 16 further comprising periodically monitoring a health status of the host initiator.
  - 21. The method for creating virtual private connections between end points in a shared SAN as recited in claim 20 further comprising the issuance of a periodic registration command.
  - 22. The method for creating virtual private connections between end points in a shared SAN as recited in claim 8 further comprising automatically capturing an existing SAN configuration and using the captured configuration information to automatically establish persistent access controls.

23. An apparatus for creating virtual private connections between end points in a shared storage area network comprising:
- means for establishing a virtual connection between a source and a destination, wherein the means for establishing the virtual connection includes a virtual connection manager and a virtual connection cache, the virtual connection cache having a list of existing and previously established virtual connections, wherein an existing virtual connection is indicated between a specific host initiator and a specific target storage device, or a specific logical portion thereof, to provide a one-to-one relationship between a host initiator and a target storage device, or a logical portion thereof, for each virtual connection in the virtual connection cache;
  
  means for receiving I/O commands containing source and destination information;
  
  means for determining whether a previously established connection exists;
  
  means for using a previously established connection when it exists without determining whether the previously established connection is allowable;
  
  means for comparing the source and destination information in the I/O commands to a predetermined list of allowable data connections when a previously established connection does not exist;
  
  means for creating a virtual private storage area network connection between the source and destination when the data connection is allowable but does not exist; and
  
  means for using the virtual private storage area network.
- View Dependent Claims (24, 25)
- - 24. The apparatus of claim 23 wherein when a virtual private storage area network connection is created, storing an indication of the connection in the virtual connection cache.
  - 25. The apparatus of claim 23 wherein the means for creating a virtual private storage area network connection includes means for determining whether the data connection exists by reading an indication from the virtual connection cache.

26. A method for creating virtual private connections between end points in a shared storage area network (SAN), the method comprising:
- providing a virtual connection architecture for a host initiator operatively connected thereto, the virtual connection architecture having a virtual connection manager and a virtual connection cache, the host initiator generating and transmitting I/O commands to the virtual connection manager of the virtual connection architecture;
  
  the virtual connection cache having a list of existing and previously established virtual connections, wherein an existing virtual connection between a specific host initiator and a specific target storage device or a specific logical portion thereof provides a one-to-one relationship between the host initiator and the target storage device or the logical portion thereof, thereby allowing the virtual connection manager to execute a received I/O command immediately without further qualification using the virtual private connection indicated by the previously established virtual connection in the virtual connection cache; and
  
  in the absence of a previously established virtual connection in the virtual connection cache;
  
  comparing, by the virtual connection manager, source and destination information from the I/O commands to a predetermined list of allowable connections; and
  
  when the source and destination information matches the predetermined list of allowable connections;
  
  creating a virtual connection in the virtual connection cache between the host initiator and a storage device, or a logical portion thereof, operatively connected to the virtual connection architecture, thereby establishing a virtual private SAN; and
  
  the virtual connection now existing, using the virtual private SAN indicated by the established virtual connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quantum Corporation (Chi Ko Investment Co., Ltd.)
Original Assignee
Advanced Digital Information Corporation (Chi Ko Investment Co., Ltd.)
Inventors
DeWilde, Mark A., Khezri, Said Rahmani, Goldner, Jeffrey S., Kelleher, Terence M., Prestas, Gregory
Primary Examiner(s)
Vu, Huy D.
Assistant Examiner(s)
Volper, Thomas E.

Application Number

US09/545,436
Time in Patent Office

1,747 Days
Field of Search

370/360, 370/362, 370/363, 370/381, 370/382, 370/383, 370/395.53, 370/465, 370/466, 709/201, 709/203, 709/212, 709/213, 709/215, 709/216, 709/217, 709/219, 709/223, 709/225, 713/155, 713/168, 713/170, 713/200, 713/201, 713/202, 711/100, 711/111, 711/112, 711/113, 711/114, 711/147, 711/149, 711/150, 711/152, 711/153
US Class Current

709/203
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 67/1097   for distributed storage of ...

H04L 67/14   Session management for real...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Creating virtual private connections between end points across a SAN

First Claim

19 Assignments

0 Petitions

Accused Products

Abstract

70 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Creating virtual private connections between end points across a SAN

First Claim

19 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links