System and method for access control on a storage router

US 7,353,260 B1
Filed: 06/13/2003
Issued: 04/01/2008
Est. Priority Date: 06/13/2003
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access to a target on a storage area network, the method comprising:

providing an access control list to an iSCSI router of a storage router, the access control list having a set of one or more entries, each entry having an access control type and an access control value;

receiving a request to access the target from an initiator;

receiving a set of one or more initiator authentication values, each of said initiator authentication values having an initiator authentication type;

for each of the initiator authentication types, searching the access control list for a matching authentication control type; and

if a matching control type exists in the access control list for an authentication type, then if the authentication value does not match the access control value for the access control denying access to the target.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods control access to an iSCSI target on a storage area network. The systems and methods include an access control list having a set of one or more entries. Each entry may have an access control type and an access control value. Requests may be received from an initiator on a host connected to the system through a network interface. The request may include a set of one or more initiator authentication values, each of the initiator authentication values having an initiator authentication type. The access control list may be searched for an entry matching the authentication type and value. If such an entry is not found, access to the target may be denied.

Citations

34 Claims

1. A method for controlling access to a target on a storage area network, the method comprising:
- providing an access control list to an iSCSI router of a storage router, the access control list having a set of one or more entries, each entry having an access control type and an access control value;
  
  receiving a request to access the target from an initiator;
  
  receiving a set of one or more initiator authentication values, each of said initiator authentication values having an initiator authentication type;
  
  for each of the initiator authentication types, searching the access control list for a matching authentication control type; and
  
  if a matching control type exists in the access control list for an authentication type, then if the authentication value does not match the access control value for the access control denying access to the target.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the access control list type comprises an Internet Protocol type and the access control value defines one or more Internet Protocol addresses.
  - 3. The method of claim 2, wherein the one or more Internet Protocol addresses are expressed as a bitmask defining a range of Internet Protocol addresses.
  - 4. The method of claim 1, wherein the access control type comprises an iSCSI type and the access control value comprises an iSCSI name.
  - 5. The method of claim 1, wherein the access control type comprises a CHAP type and the access control value comprises a CHAP name.
  - 6. The method of claim 1, wherein the access control value comprises a pattern, and wherein the initiator value matches the access control value if there is a match to the pattern.
  - 7. The method of claim 1, wherein the access control value comprises a string matching syntax, and wherein the initiator value matches the access control value if the initiator value matches the string matching syntax.
  - 8. The method of claim 7, wherein the string matching syntax comprises a regular expression syntax.

9. A system for controlling access to an iSCSI target, the system comprising:
- a storage router having a processor, a memory and at least one network interface;
  
  a SCSI router component executing on the processor and the memory and operable to receive a request to access a target from an initiator through the network interface; and
  
  an access control list accessible to the SCSI router, said access control list having a set of one or more entries, each entry having an access control type and an access control value;
  
  wherein the SCSI router is operable to perform the tasks of;
  
  receive a set of one or more initiator authentication values, each of said initiator authentication values having an initiator authentication type;
  
  for each of the initiator authentication types, search the access control list for a matching authentication control type; and
  
  if a matching control type exists in the access control list for an authentication type, then if the authentication value does not match the access control value for the access control denying access to the target.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The system of claim 9, wherein the access control list is a linked list.
  - 11. The system of claim 9, wherein the access control list is associated with a single target.
  - 12. The system of claim 9, wherein the access control list type comprises an Internet Protocol type and the access control value defines one or more Internet Protocol addresses.
  - 13. The system of claim 12, wherein the one or more Internet Protocol addresses are expressed as a bitmask defining a range of Internet Protocol addresses.
  - 14. The system of claim 9, wherein the access control type comprises an iSCSI type and the access control value comprises an iSCSI name.
  - 15. The system of claim 9, wherein the access control type comprises a CHAP type and the access control value comprises a CHAP name.
  - 16. The system of claim 9, wherein the access control value comprises a pattern, and wherein the initiator value matches the access control value if there is a match to the pattern.
  - 17. The system of claim 9, wherein the access control value comprises a string matching syntax, and wherein the initiator value matches the access control value if the initiator value matches the string matching syntax.
  - 18. The system of claim 9, wherein the string matching syntax comprises a regular expression syntax.

19. A computer-readable medium having computer-executable instructions for performing a method for controlling access to a target on a storage area network, the method comprising:
- providing an access control list to an iSCSI router component of a storage router, the access control list having a set of one or more entries, each entry having an access control type and an access control value;
  
  receiving a request to access the target from an initiator;
  
  receiving a set of one or more initiator authentication values, each of said initiator authentication values having an initiator authentication type;
  
  for each of the initiator authentication types, searching the access control list for a matching authentication control type; and
  
  if a matching control type exists in the access control list for an authentication type, then if the authentication value does not match the access control value for the access control denying access to the target.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The computer-readable medium of claim 19, wherein the access control list type comprises an Internet Protocol type and the access control value defines one or more Internet Protocol addresses.
  - 21. The computer-readable medium of claim 19, wherein the one or more Internet Protocol addresses are expressed as a bitmask defining a range of Internet Protocol addresses.
  - 22. The computer-readable medium of claim 19, wherein the access control type comprises an iSCSI type and the access control value comprising an iSCSI name.
  - 23. The computer-readable medium of claim 19, wherein the access control type comprises a CHAP type and the access control value comprises a CHAP name.
  - 24. The computer-readable medium of claim 19, wherein the access control value comprises a pattern, and wherein the initiator value matches the access control value if there is a match to the pattern.
  - 25. The computer-readable medium of claim 19, wherein the access control value comprises a string matching syntax, and wherein the initiator value matches the access control value if the initiator value matches the string matching syntax.
  - 26. The computer-readable medium of claim 19, wherein the string matching syntax comprises a regular expression syntax.

27. A system for controlling access to an iSCSI target, the system comprising:
- means for providing an access control list to an iSCSI router of a storage router, the access control list having a set of one or more entries, each entry having an access control type and an access control value;
  
  means for receiving a request to access the iSCSI target from an initiator;
  
  means for receiving a set of one or more initiator authentication values, each of said initiator authentication values having an initiator authentication type; and
  
  means for searching the access control list, for a matching authentication control type;
  
  wherein if a matching control type exists in the access control list for an authentication type, then if the authentication value does not match the access control value for the access control denying access to the target.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34)
- - 28. The system of claim 27, wherein the access control list type comprises an Internet Protocol type and the access control value defines one or more Internet Protocol addresses.
  - 29. The system of claim 28, wherein the one or more Internet Protocol addresses are expressed as a bitmask defining a range of Internet Protocol addresses.
  - 30. The system of claim 27, wherein the access control type comprises an iSCSI type and the access control value comprises an iSCSI name.
  - 31. The system of claim 27, wherein the access control type comprises a CHAP type and the access control value comprises a CHAP name.
  - 32. The system of claim 27, wherein the access control value comprises a pattern, and wherein the initiator value matches the access control value if there is a match to the pattern.
  - 33. The system of claim 27, wherein the access control value comprises a string matching syntax, and wherein the initiator value matches the access control value if the initiator value matches the string matching syntax.
  - 34. The system of claim 27, wherein the string matching syntax comprises a regular expression syntax.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Senum, Steven John
Primary Examiner(s)
Vaughn; William
Assistant Examiner(s)
Shingles; Kristie D.

Application Number

US10/461,306
Time in Patent Office

1,754 Days
Field of Search

709/217, 709/223, 709/229
US Class Current

709/217
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/046   comprising network manageme...

H04L 41/22   comprising specially adapte...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 67/1097   for distributed storage of ...

System and method for access control on a storage router

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for access control on a storage router

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links