IETF Logo Mail Archive

Re: [Ips] no DHCP-assigned InitiatorName

Sivan Tal <SIVANT@il.ibm.com> Tue, 23 September 2008 16:46 UTC

Return-Path: <ips-bounces@ietf.org>
X-Original-To: ips-archive@optimus.ietf.org
Delivered-To: ietfarch-ips-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E594C3A68E0; Tue, 23 Sep 2008 09:46:03 -0700 (PDT)
X-Original-To: ips@core3.amsl.com
Delivered-To: ips@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CBE233A6AA6 for <ips@core3.amsl.com>; Mon, 22 Sep 2008 08:51:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5QKLHCIYooY1 for <ips@core3.amsl.com>; Mon, 22 Sep 2008 08:51:14 -0700 (PDT)
Received: from mtagate3.de.ibm.com (mtagate3.de.ibm.com [195.212.29.152]) by core3.amsl.com (Postfix) with ESMTP id 410DC3A67AA for <ips@ietf.org>; Mon, 22 Sep 2008 08:51:14 -0700 (PDT)
Received: from d12nrmr1607.megacenter.de.ibm.com (d12nrmr1607.megacenter.de.ibm.com [9.149.167.49]) by mtagate3.de.ibm.com (8.13.8/8.13.8) with ESMTP id m8MFocBs197458 for <ips@ietf.org>; Mon, 22 Sep 2008 15:50:38 GMT
Received: from d12av02.megacenter.de.ibm.com (d12av02.megacenter.de.ibm.com [9.149.165.228]) by d12nrmr1607.megacenter.de.ibm.com (8.13.8/8.13.8/NCO v9.1) with ESMTP id m8MFob9d1720574 for <ips@ietf.org>; Mon, 22 Sep 2008 17:50:37 +0200
Received: from d12av02.megacenter.de.ibm.com (loopback [127.0.0.1]) by d12av02.megacenter.de.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id m8MFobut030154 for <ips@ietf.org>; Mon, 22 Sep 2008 17:50:37 +0200
Received: from d12ml102.megacenter.de.ibm.com (d12ml102.megacenter.de.ibm.com [9.149.166.138]) by d12av02.megacenter.de.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id m8MFobFo030151; Mon, 22 Sep 2008 17:50:37 +0200
In-Reply-To: <OF2B1DCFAA.18C9A07A-ON852574CC.004985AD-852574CC.004A0FA1@LocalDomain>
References: <48D6F3EB.1080400@scalent.com> <OF51EB8C4B.4A802DE0-ON852574CC.003C9899-852574CC.003D1E7C@il.ibm.com> <48D79AA6.9040104@scalent.com> <OF2B1DCFAA.18C9A07A-ON852574CC.004985AD-852574CC.004A0FA1@LocalDomain>
X-KeepSent: 0A82A218:3518FC7A-852574CC:005411EC; type=4; name=$KeepSent
To: Julian Satran <Julian_Satran@il.ibm.com>
X-Mailer: Lotus Notes Release 8.0.1 HF105 April 10, 2008
Message-ID: <OF0A82A218.3518FC7A-ON852574CC.005411EC-852574CC.005707CB@il.ibm.com>
From: Sivan Tal <SIVANT@il.ibm.com>
Date: Mon, 22 Sep 2008 11:50:36 -0400
X-MIMETrack: Serialize by Router on D12ML102/12/M/IBM(Release 8.0.1|February 07, 2008) at 22/09/2008 18:50:36
MIME-Version: 1.0
X-Mailman-Approved-At: Tue, 23 Sep 2008 09:46:01 -0700
Cc: ips@ietf.org
Subject: Re: [Ips] no DHCP-assigned InitiatorName
X-BeenThere: ips@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IP Storage <ips.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ips>, <mailto:ips-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/ips>
List-Post: <mailto:ips@ietf.org>
List-Help: <mailto:ips-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ips>, <mailto:ips-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ips-bounces@ietf.org
Errors-To: ips-bounces@ietf.org

Michael,

CbCS (Capability-based Command Security) is part of the SPC-4 (SCSI Primary
Commands) standard draft.
The current version is in
http://www.t10.org/ftp/t10/drafts/spc4/spc4r16.pdf
Clause 5.14.6 described Command Security, and sub-clause 5.14.6.8 describes
CbCS, which is currently the only SCSI command security technique.

Using CbCS, the initiator provides credential to the target that authorizes
it to access the target logical unit. The credential does not contain an
initiator identity and it is obtained from a trusted third party (security
manager) and "signed" with HMAC (based on a symmetric key shared between
the security manager and the target).  The credential (the Capability
descriptor) contains a DISCRIMINATOR field that can be set in a "vendor
specific" manner. One can use that field for initiator identifier. However,
it should be noted that when using CbCS you don't need this for
authorization. The access decision point is in the security manager and the
access enforcement point is in the target device, based on the credential.
The initiator authenticates only to the security manager, thus keeping the
device simple. This is especially valuable in virtualized environments.

Sivan Tal
IBM.



|------------>
| From:      |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Julian Satran/Haifa/IBM                                                                                                                           |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| To:        |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Michael Howard <michael.howard@scalent.com>                                                                                                       |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Cc:        |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |ips@ietf.org, Sivan Tal/Haifa/IBM@IBMIL                                                                                                           |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Date:      |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |09/22/2008 09:29 AM                                                                                                                               |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Subject:   |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Re: [Ips] no DHCP-assigned InitiatorName                                                                                                          |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|




Michael,]

I think that some of the OSs have the initiator name wired into the image
and boot providers will have to set this name.
I am not sure how what exactly is required for each version.
The boot RFC defines where the image comes from but very little else.

Sivan may give you a pointer to CbCS.

Regards,
Julo





|------------>
| From:      |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Michael Howard <michael.howard@scalent.com>                                                                                                       |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| To:        |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Julian Satran/Haifa/IBM@IBMIL                                                                                                                     |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Cc:        |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |ips@ietf.org                                                                                                                                      |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Date:      |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |09/22/2008 09:19                                                                                                                                  |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Subject:   |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Re: [Ips] no DHCP-assigned InitiatorName                                                                                                          |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|







Julian Satran wrote:
> Michael - I am not sure what you are looking for? A standard parameter
> as those described by the iBOOT RFC?

Yes, I am looking for a specific DHCP parameter that defines what
InitiatorName is to be used by the iSCSI boot client.

It seems to me that the purpose of RFC4173 was/is to allow stateless
clients to boot. The target parameters that are specified in RFC4173 are
necessary, but not sufficient. On many commercial iSCSI target servers
you must have the InitiatorName in order to be able to log in to the
target. This is the case for NetApp and SANRAD, and I strongly for many
others.

> In any case the initiator name is not the only way to control what a
> server will access.
>
> CbCS (stands for Credential Based Command Security) available for any
> SCSI device at the SCSI layer (see the T10 site) is probably
> safer/better and does not depend on things that can be so easy faked by
> an initiator as the initiator name and may be easier to deploy.

This is not something that I am familiar with ...

*** 10 minutes later ***

I could find no reference to CbCS or Command Based Command Security at
the NetApp support site now.netapp.com

A quick search at www.t10.org didn't turn anything up either ... I'll
keep looking.


There may (and should) be other/better security mechanisms working their
way through the standardization and implementation processes.

As a practical measure, I believe that a DHCP-supplied InitiatorName is
needed because InitiatorName is required by many commercial iSCSI target
servers.


Michael





_______________________________________________
Ips mailing list
Ips@ietf.org
https://www.ietf.org/mailman/listinfo/ips

v2.23.0 | Report a Bug | By Email