Storage Area Networks (SANs) are usually used to access the most critical data of an organization, therefore ensuring their security is of paramount importance. This presentation will introduce the general SAN security threats and the methods (authentication and secure channel) to mitigate them. It will also present the authentication protocol and secure channel specifications that have been defined for NVMe-oF over IP fabrics, with special attention to the NVMe/TCP case.

NVMe over IP is a technology able to provide complete and scalable SAN solutions. Security is of paramount importance for SANs and the fundamental methods to secure NMVe over IP fabrics (i.e., DH-HMAC-CHAP authentication and TLS secure channel) have been defined. However, the security provisioning of these methods does not scale yet to large fabrics.

nvme-stas is an open source Linux project that provides: - A Central Discovery Controller (CDC) client for Linux - Asynchronous Event Notifications (AEN) handling - Automated NVMe subsystem connection controls - Error handling and reporting - Automatic (zeroconf) and Manual configuration nvme-stas is composed of two services, stafd and stafd, running on a Host computer. It uses the newly released libnvme 1.0 to communicate with the Linux kernel's nvme driver.

Security for NVMe over Fabrics is highly sought by customers and evolving at a fast pace. Experience with initial implementations uncovered a few shortcomings in the original design of certain NVMe/TCP security features that have resulted in recent security protocol changes. Furthermore, a lack of understanding on how configured single-system NVMe over Fabrics security policies interact led to the standardization in NVM Express of an interoperability framework. This session will explain these recent developments in NVMe-oF security and their importance to achieve a secure SAN.