LSI India Conference Tutorial 2011

SAS (Serial Attached SCSI) Zoning

Abstract Serial Attached SCSI (SAS) is gaining popularity in small storage area network (SAN) server environments. With its rise in popularity comes the need to segregate and manage device traffic in a similar fashion to what is already done in larger Fibre Channel networks by using zones or in Ethernet using virtual LANs. By doing this, IT administrators can create much more flexible, scalable, and efficient server networks that meet their business needs.SAS Zoning provides this capability. I. BENEFITS OF SAS ZONING What are the benefits for access control and what makes SAS zoning attractive? To answer these questions, envision a SAS expander topology as shown in Figure 1.

Figure 1: SAS Access Control Features Access control provides traffic segregation for data, functions and broadcast traffic. It logically separates traffic between hosts and resources and provides common access privileges to all end devices. There are many ways to segregate traffic. Figure 1 shows how traffic can be segregated between internal and external zones. Access control provides flexible re-deployment of resources. For example, if one hard disk drive (HDD) is assigned to a server in a group, but more capacity is required for that server, it is easy to add another disk to the group. Access control provides controlled sharing of resources and imposes access restrictions / limitations. Users can limit the resources that each host sees by configuring different policies for each SAS zone. By assigning SAS PHYs into groups and applying access control policies to restrict these groups, the system designer can ensure that only authorized users can access certain parts of the system. By grouping end devices, system designers can also save on the amount of resources required for an expander implementation. Zoning allows users to limit access to the SMP control plane such that only the authenticated management devices can issue SMP control commands.

LSI India Conference Tutorial 2011

Access control limits the impact of topology change. A SAS network uses a mechanism called topology discovery to determine which devices are part of the topology. Each time a new device is added, removed, or lost, a broadcast event is generated to notify all the expanders and host devices that re-discovery must be performed to determine which device has changed. This is a time consuming process and requires both the hosts and expanders resources as well as increases SMP traffic. It makes sense, herefore, to limit the impact of topology changes so that when a device is added or removed, only its host device has privileges to see the topology change Finally, access control also provides protection against attacks by limiting the propagation of Broadcast traffic. Broadcast events are very disruptive and consume a great amount of link bandwidth when being sent frequently, also known as a broadcast storm. If broadcast storms are not limited, any misbehaving device in the topology can disrupt the operation of the entire network. It becomes difficult to support larger networks if broadcast storms are not controlled. II.TERMINOLOGIES AND DEFINITIONS A. Zoning Zoning is a weapon to compartmentalize a SAS topology with predefined intensions of access control. Expanders are the only elements in a SAS Topology that understand zoning. SAS zoning is implemented by a set of zoning expander devices with zoning enabled that define a zoned portion of a service delivery subsystem (ZPSDS). The zoning expander devices control whether a PHY is permitted to participate in a connection to another PHY. Zoning allows SAS end devices to be partitioned so that access is only allowed from a dedicated initiator or set of initiators. PHY(s) within the expander are assigned a zone group number and a zone group permission table determines which zone group numbers are allowed to access one another. Configuration of zoning is performed by a Zone Manager (SMP initiator) issuing zoning SMP (Serial Management Protocol) requests to the expanders SMP target.

B. ZPSDS Zoned Portion of Service Delivery Subsystem (ZPSDS). A ZPSDS is constituted by a set of inter-connected zoning expanders. One Zone Manager is responsible for configuration of one ZPSDS. The zone groups assigned in one ZPSDS have no relationship to the zone groups assigned in another ZPSDS. The zone manager shall assign each zoning expander PHY on the boundary of the ZPSDS (i.e., with the INSIDE ZPSDS bit set to zero) to a zone group. All phys in the SAS domain beyond that boundary zoning expander PHY are considered to be in the same zone group as that zoning expander PHY.

An example of ZPSDS based partitioning of SAS topology is shown is figure 2 below.

LSI India Conference Tutorial 2011

Figure 2: Three different ZPSDS in a SAS topology

C. Zone Manager A Zone Manager is a knowledgeable entity responsible for zoning configuration of a ZPSDS. Zone Manager is solely responsible for deciding zoning policies of a ZPSDS. A Zone Manager can be an Inband or an out-of-band/sideband (e.g. Ethernet or ISTWI) application. Inband Zoning Manager will have access to an end device (HBA) with a SAS port whose zone group has access to zone group 2 (A special zone group). The SAS address reported for a sideband zone manager is 00000000 00000000h. The zone manager assigns zone groups to all zoning expander phys inside the ZPSDS.

An example of Inband and out-of-band Zone Manager is shown is figure 3 below:

LSI India Conference Tutorial 2011

Figure 3: Inband vs. Out-Of-Band Zone Manager

Inband Zone Manager

D. Zone Manager Authentication

Out-Of-Band Zone Manager

There are several vendor specific authentication techniques for a Zone Manager and the SAS standard defines Zone Manager Password for authentication. Physical presence detection mechanism can be as good as a key inserted into a special authenticating port. A Zone Manager Password must present a valid password in order to get management access rights. Out-Of-Band Zone Managers are not required to present password. Out-Of-Band Zone Manager always have access and can alter Zone Manager Password. Authentication is required for Inband Zone Managers.

E. Zone Group A zone group is a qualifier configured on a phy of a zoning expander that determines the accessibility of the device attached to that PHY. There are 128 or 256 zone groups numbered 0 through 127 or 0 through 255. All phys in a wide port shall be assigned to the same zone group. The zone manager shall assign each zoning expander PHY attached to another zoning expander PHY inside a ZPSDS to zone group 1. A requested connection shall only be established if the zone permission table indicates that access between the zone group of the source port and the zone group of the destination port is allowed. The zoning expander route table is an extended version of the expander route table that also includes the zone group of each SAS address.

F. Zoning Configuration Zoning configuration to a Zoning expander is done by a Zone Manager using a set of Zoning SMPs. The orders of SMPs are important and zoning expander will take appropriate actions on receiving a particular SMP. Zoning expander shall maintain a persistent copy, a current copy and a shadow copy of zoning information. On change of zoning configuration, zoning expander will send a zoned broadcast change.

LSI India Conference Tutorial 2011

G. Zoning Configuration SMPs ZONE LOCK Zone Lock Inactivity Timer is started. No Other Zone Manager can get access till this is done or timer is expired. Any other Zone Manager trying access will get Zone Lock Violation. CONFIGURE ZONE PHY Zoning Configuration is received and saved into shadow copy. ENABLE DISABLE ZONING Enable Disable Zoning property is received and saved into shadow copy. CONFIGURE ZONE PERMISSION TABLE Zone Permission Table Configuration is received and saved into shadow copy. CONFIGURE ZONE MANAGER PASSWORD Zone Manager Password is received and stored to shadow copy. Only available to Out-of-band zoning manager. ZONE ACTIVATE Zoning Configuration is copied from shadow copy to current copy and/or persistent copy. ZONE UNLOCK Unlock the zoning expander before timer is expired.

III. THE ZONING PHENOMENON

An example of a typical zoning phenomenon is shown in figure 4 and a phenomenon of partitioning a set of HDDs/SSDs into different zone groups for access control reason is shown in Figure 5.

LSI India Conference Tutorial 2011

End Dev Zone Group A/B/C..

IE Link Zone Group 1

Zone Group A

H osts (Initia tors)

Z oning Expanders

Serial AttachedSCSI orSA A diskdrive T s (T argets)

NO Zone Group

Figure 4: An Example of Zoning Phenomenon A. IE Link Inter Expander Link. Inter expander link zone group should always be 1 (a special zone group) for all expander inside one ZPSDS. B. Zoning Expander A SAS expander that understands and implements SAS zoning policies is termed as Zoning Expander. Initiators are typically host computers that want to access an end device (A SAS or SATA HDD/SSD) for various data keeping and manipulation operations.

LSI India Conference Tutorial 2011

Figure 5: Zoning Groups

IV. HOW ZONING WORKS Access control functionality is fully implemented in the expanders. Expanders are used for control as it is difficult to know if a host is authorized or not. Therefore, access control does not require hosts to intervene or change their behavior. By allowing expanders to control zoning legacy SAS and SATA devices, which do not understand zoning, can operate within the SAS domain. From the perspective of a SAS system administrator, the zoning model requires no change to the end devices in the network. Initiators continue to perform normal SAS discovery, and initiators and targets send and receive OPEN address frames as usual. However, unlike a typical SAS system, initiators and targets do not see the entire SAS domain, also known as a service delivery subsystem. Instead, they only see the portions of the domain, otherwise known as groups, that they have been given permission to see based on a permission table that is configured for each zoning expander. Zoning operation is determined by the configuration made to the zoning attributes for each PHY port of the expander (called PHY zone configuration). A. Defining Policies and Permissions Figure 5 shows an example zoning topology. In this instance, Device 0 and Device 2 are assigned to the same group (Group 126) since they share common resources (the need to communicate with devices in Group 5 and Group 4). The access control policies, otherwise referred to as zone permissions, for each expander group are defined using the zone permission table.

LSI India Conference Tutorial 2011

Each zoning expander device contains a zone permission table that controls whether a connection is allowed between phys based on their zone groups. Connection shall only be established if the zone permission table indicates that access between the zone group of the source port and the zone group of the destination port is allowed.

A typical example of a Zone Permission table is shown in Figure 6.

Source Zone Group Destination Zone Group

0 0 1 0 0 0

1 1 1 1 1 1/0

2-3 0 1 1/0
Reserved

4-7 0 1
Reserved

8 to (Z-1) 0 1 1/0
Reserved

0 1 2-3 4-7 8 to (Z - 1)
B. Zone Groups

Reserved

1/0

Reserved

1/0

Figure 6: Zone Permission Table

Table in Figure 7 defines Zone group properties. Zone groups 0 to 3 are special zone groups and they enjoy special permission status. Zone group starting from 8 are user defined and configurable.

LSI India Conference Tutorial 2011

Figure 7: Zone Groups C. Zone PHY Information Each PHY of a zoning expander device shall support the zone PHY information fields defined in table (Figure 8). If the expander PHY is inside the ZPSDS the value of INSIDE ZPSDS should be 1. If a PHY is at the boundary of a ZPSDS, the zone group will be persistent only if ZONE GROUP PERSISTENT bit is set. This is because at the ZPSDS boundary outside world is not known.

LSI India Conference Tutorial 2011

Field
INSIDE ZPSDS REQUESTED INSIDE ZPSDS INSIDE ZPSDS PERSISTENT

Description
phy inside or on the boundary of a ZPSDS (1/0) Establishes boundary of a ZPSDS Determines the value of INSIDE ZPSDS after link reset sequence

Default

NA 0 0 0 0

ZONE GROUP Determines the zone PERSISTENT group of the phy if INSIDE ZPSDS = 0 ZONE GROUP Zone Group of the phy.
Figure 8: Zone PHY Infomation

D. Zoning Expander Routing Table A normal SAS expander that does not understand and implement SAS Zoning will have Routed SAS Addresses and PHY bit map as entries in Routing table. As shown in Figure 9, a Zoning Expander Routing table shall have entities to implement Zoning Policies. A Zone Group Valid bit will indicate that whether Zoning is currently being implemented by this SAS expander and whether Zone Group to which the destination PHY as indicated by the PHY bit map is assigned to is valid or not. If A Zone Group Valid bit is set, the Zone Group of the PHY is read from Routing table and is validated for Permission in native active Zone Permission Table. If Zone Permission table indicates that the Source Zone Group has permission to access the destination Zone group, then only the SAS packet is routed to destination PHY.

LSI India Conference Tutorial 2011

Figure 9: Zoning Expander Routing Table

V. A ZONED TOPOLOGY EXAMPLE A typical example of a Zoned SAS Topology is shown in figure 10. To simplify lets assume that Zone Permission table in each Zoning expander in the topology is configured such that same numbered zone groups have permission and different numbers dont, whereas special zone groups are configured in the same way as required (defined in section above). Hence Zone Group 65 will have access to Zone group 65 and will not have permission to Zone group 55. The figure 9 shows how a Zoning expander implements this policy and does not allow a host which is in zone group 65 to access a HDD which is in zone 55.

LSI India Conference Tutorial 2011

Zoning Expander 1

Zone Group 65 WIDE PORTS

Zone Group = 1

WIDE PORTS

Host (Initiator)

Zone Group = 1

SAS Frame Destination HDD3 SAS Frame Destination HDD2

HDD0

Zone 65

Zoning Expander 2

Zone 55

HD

Zone 65

Zone 55

Figure 10: A Zoned SAS Topology

HDD2 HDD1

REFERENCES
[1]

[2]

Serial Attached SCSI 2 (SAS 2) T10 project, revision 16. Managing Access Control Through SAS Zoning, PMC Sierra Inc, white paper by Heng Liao, Tim Symons, Rachelle Trent Rajendra Singh received his B.E. degree (with honors) in Computer Science and Technology from Bengal Engineering and Science University, Shibpore, Kolkata (West Bengal) in the year 2003. His primary area of interest is RAID and Storage networking. He joined LSI in 2006. Since then, he has been associated with projects related to RAID Firmware, Storage Management Applications, Expander Firmware Zoning Manager, Expander Utilities Development and design.