iSCSI name forwarding technique

US 8,181,011 B1
Filed: 08/23/2006
Issued: 05/15/2012
Est. Priority Date: 08/23/2006
Status: Active Grant

First Claim

Patent Images

1. A method for allowing a security appliance, having a processor and a memory, to assume Internet Small Computer System Interface (iSCSI) names of one or more clients and one or more storage systems in a network, the method comprising:

intercepting a first discovery request issued by a client at the security appliance configured to perform at least one of encrypting and decrypting data transmitted between the one or more clients and the one or more storage systems, the first discovery request destined to the storage system and configured to request iSCSI target names exported by the system to the client;

extracting, by the security appliance, an iSCSI initiator name of the client from the first discovery request;

storing, at the security appliance, the iSCSI initiator name, extracted from the first discovery request, in an iSCSI name mapping table of the security appliance;

querying the storage system with a second discovery request issued by the security appliance to retrieve the iSCSI target names exported to the client;

populating the iSCSI name mapping table with the exported iSCSI target names at the security appliance; and

forwarding the exported iSCSI target names from the security appliance to the client, thereby presenting the security appliance as storage accessible by the client.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An iSCSI name forwarding technique allows a security appliance to assume iSCSI names of one or more clients and one or more storage systems in a network. The security appliance is coupled between each client and storage system, and is configured to intercept a data access request issued by the client that is destined for the storage system. Each iSCSI name of the storage system is an iSCSI target name associated with secure storage, i.e., a cryptainer, served by the storage system, whereas the iSCSI name of the client is an iSCSI initiator name of the network entity, i.e., the client, which initiates the data access request to access data stored on the cryptainer.

Citations

20 Claims

1. A method for allowing a security appliance, having a processor and a memory, to assume Internet Small Computer System Interface (iSCSI) names of one or more clients and one or more storage systems in a network, the method comprising:
- intercepting a first discovery request issued by a client at the security appliance configured to perform at least one of encrypting and decrypting data transmitted between the one or more clients and the one or more storage systems, the first discovery request destined to the storage system and configured to request iSCSI target names exported by the system to the client;
  
  extracting, by the security appliance, an iSCSI initiator name of the client from the first discovery request;
  
  storing, at the security appliance, the iSCSI initiator name, extracted from the first discovery request, in an iSCSI name mapping table of the security appliance;
  
  querying the storage system with a second discovery request issued by the security appliance to retrieve the iSCSI target names exported to the client;
  
  populating the iSCSI name mapping table with the exported iSCSI target names at the security appliance; and
  
  forwarding the exported iSCSI target names from the security appliance to the client, thereby presenting the security appliance as storage accessible by the client.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the each iSCSI target name is associated with secure storage served by the storage system and wherein the iSCSI initiator name is associated with the client.
  - 3. The method of claim 2 wherein the secure storage is a cryptainer.
  - 4. The method of claim 3 further comprising:
    - selecting an exported iSCSI target name at the client;
      
      generating an initial login request directed to the selected exported iSCSI target name, the initial login request enabling access to a cryptainer associated with the selected exported iSCSI target name; and
      
      intercepting the initial login request at the security appliance.
  - 5. The method of claim 4 further comprising:
    - using the selected exported iSCSI target name to enable the security appliance to log into the storage system on behalf of the client and access the cryptainer associated with the iSCSI target name.
  - 6. The method of claim 5 wherein using comprises using the iSCSI initiator and target names to identify the client and the cryptainer served by the storage system.

7. A security appliance configured to assume Internet Small Computer System Interface (iSCSI) names of one or more clients and one or more storage systems in a network, the security appliance comprising:
- one or more network adapters configured to couple the security appliance to each client and storage system, where the security appliance is configured to perform at least one of encrypting data and decrypting data transmitted between the one or more clients and the one or more storage systems;
  
  a processor coupled to each network adapter and configured to execute software processes and modules; and
  
  a memory configured to store an iSCSI module configured to acquire the iSCSI names of a client and a storage system through interception of a first discovery request issued by the client and issuance of a second discovery request by the security appliance to the storage system, and a box manager process configured to create an iSCSI name mapping table for storing the acquired iSCSI names, the iSCSI module further configured to utilize the acquired iSCSI names to access storage served by the storage system on behalf of the client.
- View Dependent Claims (8)
- - 8. The security appliance of claim 7 wherein the iSCSI module is further configured to assemble the acquired iSCSI names into a format for use by the box manager process when creating the iSCSI name mapping table.

9. An apparatus configured to allow a security appliance, having a processor and a memory, to assume Internet Small Computer System Interface (iSCSI) names of one or more clients and one or more storage systems in a network, the apparatus comprising:
- means for extracting, by the security appliance, an iSCSI initiator name from a client issued first discovery request intercepted by the security appliance, wherein the security appliance is configured to perform at least one of encrypting data and decrypting data transmitted between the one or more clients and the one or more storage system;
  
  means for storing the extracted iSCSI initiator name in an iSCSI name mapping table of the security appliance;
  
  means for querying the storage system with a second discovery request issued by the security appliance to retrieve the iSCSI target names exported to the client and for populating the iSCSI name mapping table with the exported iSCSI target names at the security appliance; and
  
  means for forwarding the exported iSCSI target names from the security appliance to the client, thereby presenting the security appliance as storage accessible by the client.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The apparatus of claim 9 wherein the each iSCSI target name is associated with secure storage served by the storage system and wherein the iSCSI initiator name is associated with the client.
  - 11. The apparatus of claim 10 wherein the secure storage is a cryptainer.
  - 12. The apparatus of claim 11 further comprising:
    - means for selecting an exported iSCSI target name at the client;
      
      means for generating an initial login request directed to the selected exported iSCSI target name, the initial login request enabling access to a cryptainer associated with the selected exported iSCSI target name; and
      
      means for intercepting the initial login request at the security appliance.
  - 13. The apparatus of claim 12 further comprising:
    - means for using the selected exported iSCSI target name to enable the security appliance to log into the storage system on behalf of the client and access the cryptainer associated with the iSCSI target name.
  - 14. The apparatus of claim 13 wherein the means for using comprises means for using the iSCSI initiator and target names to identify the client and the cryptainer served by the storage system.

15. A non-transitory computer readable medium containing executable program instructions executed by a processor, comprising:
- program instructions that intercept a first discovery request issued by a client at a security appliance, the first discovery request destined to a storage system and configured to request Internet Small Computer System Interface (iSCSI) target names exported by the storage system to the client, wherein the security appliance is configured to perform at least one of encrypting data and decrypting data transmitted between the client and the storage system;
  
  program instructions that extract by the security appliance and store at the security appliance an iSCSI initiator name of the client from the request;
  
  program instructions that query the storage system with a second discovery request issued by the security appliance to retrieve the iSCSI target names exported to the client; and
  
  program instructions that forward the exported iSCSI target names from the security appliance to the client, thereby presenting the security appliance as storage accessible by the client.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer readable medium of claim 15 wherein each iSCSI target name is associated with secure storage served by the storage system and wherein the iSCSI initiator name is associated with the client.
  - 17. The non-transitory computer readable medium of claim 16 wherein the secure storage is a cryptainer.
  - 18. The non-transitory computer readable medium of claim 17 further comprising:
    - program instructions that intercept an initial login request at the security appliance, the initial login request generated by the client and directed to an iSCSI target name selected by the client, the initial login request enabling access to the cryptainer associated with the selected iSCSI target name.
  - 19. The non-transitory computer readable medium of claim 18 further comprising:
    - program instructions that use the selected iSCSI target name to enable the security appliance to log into the storage system on behalf of the client and access the cryptainer associated with the iSCSI target name.
  - 20. The non-transitory computer readable medium of claim 19 wherein the program instructions that use the selected iSCSI target name to enable the security appliance to log into the storage systems comprise program instructions that use the iSCSI initiator and target names to identify the client and cryptainer served by the storage system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Chang, Ian
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
Jeudy, Josnel

Application Number

US11/508,432
Time in Patent Office

2,092 Days
Field of Search

713/193, 713150-154, 726 2- 3, 726 11- 15, 726 27- 30, 711/3, 711/203, 711/145
US Class Current

713/152
CPC Class Codes

H04L 63/0471 applying encryption by an i...

H04L 67/1097 for distributed storage of ...

iSCSI name forwarding technique

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

iSCSI name forwarding technique

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links