ISCSI should be inexpensive to implement. The cost-savings will come about in several ways: Common technologies between your general data and SAN networks will reduce training and personnel-acquisition costs, and the large installed base of Ethernet should drive price-performance costs down. The real selling point is being able to leverage existing, easily understood TCP/IP infrastructure to build out SAN networks. With the advances in QoS (Quality of Service) and security, the opportunity to share storage with the existing infrastructure represents a significant cost-savings in hardware, training and implementation. With Gigabit Ethernet over copper, you can have a 1-Gbps storage network without changing your existing infrastructure.

ISCSI elicits fear in some who believe it will destroy the general data network. And that's a realistic concern if your storage traffic is heavy and you haven't bothered to separate your storage traffic from your general data traffic. In some situations, such as with small departmental servers, sharing your storage-traffic pipes with those of your general data traffic may be fine. In most cases, however, isolating that kind of IP traffic to its own pipe is better. Storage networks are a natural extension of IP networks. Therefore, IP-based storage networks are inevitable and will come at the expense of other technologies, such as Fibre Channel.

Fibre Channel Losing Ground

Fibre Channel has a new 2-Gb standard, which is faster than anything Ethernet can offer. But once 10 Gigabit Ethernet becomes ubiquitous, iSCSI will emerge as the dominant standard for storage networks.

Fibre Channel vendors need to have 10 Gigabit Fibre Channel hardware on the market within two financial quarters of 10 Gigabit Ethernet's appearance to begin to compete. But even if they succeed, it will be an uphill battle. Fibre Channel has a tiny installed base and very few people understand it. Plus, it's expensive. While Fibre Channel will provide slightly better performance at equivalent speeds, that won't make up for the price and training premium you'll need to implement it. In the near term, until Ethernet speeds exceed those of Fibre Channel, Fibre Channel will remain the dominant SAN technology. But it's only a matter of time before iSCSI takes the lead.

ISCSI on the Way

ISCSI is a multivendor-backed protocol that will allow the encapsulation of standard SCSI commands on an IP network. The final standard is expected to be approved by year's end. All the initial iSCSI implementations will be on Gigabit Ethernet but will migrate to 10 Gigabit Ethernet when that technology emerges.

We are encouraged that iSCSI vendors have been emphasizing interdevice compatibility. This is especially reassuring considering the cross-device compatibility problems Fibre Channel has had. Compatibility for iSCSI is an attainable goal. The SNIA (Storage Networking Industry Association), the UNH IOL (University of New Hampshire Interoperability Labs) and other groups are actively sponsoring iSCSI compatibility by providing testing facilities and bringing companies together. In addition to these efforts, companies in the Ethernet, IP and SCSI spaces have been sharing information to further compatibility.

In most iSCSI implementations, you will bridge a Fibre Channel SAN, or multiple Fibre Channel SANs, to your IP network with devices like Cisco Systems' SN 5420 Storage Router, thereby interconnecting disparate SAN islands. Separate storage networks, even in different buildings, can be joined with the iSCSI on your existing network. The techniques for mirroring all your data and backing up your remote data are easier with iSCSI, because it is IP-based.

How ISCSI Works

A system with a SCSI card initiates a SCSI command. The command is encapsulated into a Layer 4 packet and sent out. The receiving machine extracts the SCSI command from the packet and executes it. The receiving unit then encapsulates returning SCSI commands and data into IP packets and sends them back to the first machine. This system extracts the data or commands and passes them back to the SCSI subsystem. All is done without user intervention and is completely transparent to the end user.

Much of the specification for iSCSI is structured the way it is because of the need to comply with standard SCSI practices to maintain compatibility and avoid breaking SCSI. It is also designed from the ground up for IPv4 or IPv6.

As you assess iSCSI's potential for your site, remember that the terminology used is defined from the point of the originating request, called the initiator. The subject of the request is the target. So an outgoing request goes from the initiator to the target, and an inbound request goes from the target to the initiator. Single or multiple TCP sessions are used to carry data, control messages, SCSI commands and parameters all within iSCSI PDUs (Protocol Data Units).

To maintain security, iSCSI has its own logon sequence. As their first operations, initiator devices log into target devices. Any target device that receives an iSCSI PDU from an initiator that has not performed the login process will generate a protocol error, and the target device will close the connection. Before closing the session, though, the target device may send back a reject iSCSI PDU. This is very basic security, as it protects only the initiation of communications and doesn't offer security on an every-packet basis.

But there are other ways to provide security for iSCSI, including use of IPsec (see "The IETF on iSCSI," for links to the IPsec and other Internet drafts regarding iSCSI). On both control and data packets, IPsec will provide for integrity, replay protection and authentication. It also will provide encryption for individual packets.

In comparison, Fibre Channel is not that secure, but getting a connection into a Fibre Channel fabric requires physical access and thorough knowledge of Fibre Channel. The backbone of Fibre Channel security, of course, is the lack of connectivity to any other network. But Fibre Channel has no encryption and almost no protocol-level security.

As just about everyone knows, IP networks are easy to attack. They have connectivity to the outside and a well-known protocol. But the enemy you know is easier to defeat than one with whom you're unfamiliar. Systems administrators have plenty of tools and experience in securing an IP network. This, coupled with the likelihood that most iSCSI SANs will be separate networks with no public access, means maintaining security is feasible.

ISCSI Products

One clear sign that iSCSI has a good chance of succeeding is that products supporting the standard are already being sold. ISCSI host adapters are among the first products. These devices off-load the entire TCP/IP stack, and the iSCSI processes, to specialized hardware. This all but eliminates the burden of the iSCSI process from the main processor on the server.

The iSCSI process takes quite a few CPU cycles, and the specialized hardware of the iSCSI host adapter takes all the work onto its own specialized hardware for very fast turnaround. Adaptec, Emulex and other vendors have already come out with iSCSI host-bus adapters.

With changes still being made to the iSCSI specification, these cards can be upgraded as the standard changes. A slew of products will be released once iSCSI becomes a formal specification. Keep your eye on the IP storage space and particularly iSCSI. Storage over IP is the wave of the future, and we expect iSCSI to be riding the crest.