Re: [Ips] no DHCP-assigned InitiatorName
Sivan Tal <SIVANT@il.ibm.com> Tue, 23 September 2008 16:46 UTC
Return-Path: <ips-bounces@ietf.org>
X-Original-To: ips-archive@optimus.ietf.org
Delivered-To: ietfarch-ips-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E594C3A68E0; Tue, 23 Sep 2008 09:46:03 -0700 (PDT)
X-Original-To: ips@core3.amsl.com
Delivered-To: ips@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CBE233A6AA6 for <ips@core3.amsl.com>; Mon, 22 Sep 2008 08:51:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5QKLHCIYooY1 for <ips@core3.amsl.com>; Mon, 22 Sep 2008 08:51:14 -0700 (PDT)
Received: from mtagate3.de.ibm.com (mtagate3.de.ibm.com [195.212.29.152]) by core3.amsl.com (Postfix) with ESMTP id 410DC3A67AA for <ips@ietf.org>; Mon, 22 Sep 2008 08:51:14 -0700 (PDT)
Received: from d12nrmr1607.megacenter.de.ibm.com (d12nrmr1607.megacenter.de.ibm.com [9.149.167.49]) by mtagate3.de.ibm.com (8.13.8/8.13.8) with ESMTP id m8MFocBs197458 for <ips@ietf.org>; Mon, 22 Sep 2008 15:50:38 GMT
Received: from d12av02.megacenter.de.ibm.com (d12av02.megacenter.de.ibm.com [9.149.165.228]) by d12nrmr1607.megacenter.de.ibm.com (8.13.8/8.13.8/NCO v9.1) with ESMTP id m8MFob9d1720574 for <ips@ietf.org>; Mon, 22 Sep 2008 17:50:37 +0200
Received: from d12av02.megacenter.de.ibm.com (loopback [127.0.0.1]) by d12av02.megacenter.de.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id m8MFobut030154 for <ips@ietf.org>; Mon, 22 Sep 2008 17:50:37 +0200
Received: from d12ml102.megacenter.de.ibm.com (d12ml102.megacenter.de.ibm.com [9.149.166.138]) by d12av02.megacenter.de.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id m8MFobFo030151; Mon, 22 Sep 2008 17:50:37 +0200
In-Reply-To: <OF2B1DCFAA.18C9A07A-ON852574CC.004985AD-852574CC.004A0FA1@LocalDomain>
References: <48D6F3EB.1080400@scalent.com> <OF51EB8C4B.4A802DE0-ON852574CC.003C9899-852574CC.003D1E7C@il.ibm.com> <48D79AA6.9040104@scalent.com> <OF2B1DCFAA.18C9A07A-ON852574CC.004985AD-852574CC.004A0FA1@LocalDomain>
X-KeepSent: 0A82A218:3518FC7A-852574CC:005411EC; type=4; name=$KeepSent
To: Julian Satran <Julian_Satran@il.ibm.com>
X-Mailer: Lotus Notes Release 8.0.1 HF105 April 10, 2008
Message-ID: <OF0A82A218.3518FC7A-ON852574CC.005411EC-852574CC.005707CB@il.ibm.com>
From: Sivan Tal <SIVANT@il.ibm.com>
Date: Mon, 22 Sep 2008 11:50:36 -0400
X-MIMETrack: Serialize by Router on D12ML102/12/M/IBM(Release 8.0.1|February 07, 2008) at 22/09/2008 18:50:36
MIME-Version: 1.0
X-Mailman-Approved-At: Tue, 23 Sep 2008 09:46:01 -0700
Cc: ips@ietf.org
Subject: Re: [Ips] no DHCP-assigned InitiatorName
X-BeenThere: ips@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IP Storage <ips.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ips>, <mailto:ips-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/ips>
List-Post: <mailto:ips@ietf.org>
List-Help: <mailto:ips-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ips>, <mailto:ips-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ips-bounces@ietf.org
Errors-To: ips-bounces@ietf.org
Michael, CbCS (Capability-based Command Security) is part of the SPC-4 (SCSI Primary Commands) standard draft. The current version is in http://www.t10.org/ftp/t10/drafts/spc4/spc4r16.pdf Clause 5.14.6 described Command Security, and sub-clause 5.14.6.8 describes CbCS, which is currently the only SCSI command security technique. Using CbCS, the initiator provides credential to the target that authorizes it to access the target logical unit. The credential does not contain an initiator identity and it is obtained from a trusted third party (security manager) and "signed" with HMAC (based on a symmetric key shared between the security manager and the target). The credential (the Capability descriptor) contains a DISCRIMINATOR field that can be set in a "vendor specific" manner. One can use that field for initiator identifier. However, it should be noted that when using CbCS you don't need this for authorization. The access decision point is in the security manager and the access enforcement point is in the target device, based on the credential. The initiator authenticates only to the security manager, thus keeping the device simple. This is especially valuable in virtualized environments. Sivan Tal IBM. |------------> | From: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Julian Satran/Haifa/IBM | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | To: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Michael Howard <michael.howard@scalent.com> | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Cc: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |ips@ietf.org, Sivan Tal/Haifa/IBM@IBMIL | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Date: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |09/22/2008 09:29 AM | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Subject: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Re: [Ips] no DHCP-assigned InitiatorName | >--------------------------------------------------------------------------------------------------------------------------------------------------| Michael,] I think that some of the OSs have the initiator name wired into the image and boot providers will have to set this name. I am not sure how what exactly is required for each version. The boot RFC defines where the image comes from but very little else. Sivan may give you a pointer to CbCS. Regards, Julo |------------> | From: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Michael Howard <michael.howard@scalent.com> | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | To: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Julian Satran/Haifa/IBM@IBMIL | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Cc: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |ips@ietf.org | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Date: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |09/22/2008 09:19 | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Subject: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Re: [Ips] no DHCP-assigned InitiatorName | >--------------------------------------------------------------------------------------------------------------------------------------------------| Julian Satran wrote: > Michael - I am not sure what you are looking for? A standard parameter > as those described by the iBOOT RFC? Yes, I am looking for a specific DHCP parameter that defines what InitiatorName is to be used by the iSCSI boot client. It seems to me that the purpose of RFC4173 was/is to allow stateless clients to boot. The target parameters that are specified in RFC4173 are necessary, but not sufficient. On many commercial iSCSI target servers you must have the InitiatorName in order to be able to log in to the target. This is the case for NetApp and SANRAD, and I strongly for many others. > In any case the initiator name is not the only way to control what a > server will access. > > CbCS (stands for Credential Based Command Security) available for any > SCSI device at the SCSI layer (see the T10 site) is probably > safer/better and does not depend on things that can be so easy faked by > an initiator as the initiator name and may be easier to deploy. This is not something that I am familiar with ... *** 10 minutes later *** I could find no reference to CbCS or Command Based Command Security at the NetApp support site now.netapp.com A quick search at www.t10.org didn't turn anything up either ... I'll keep looking. There may (and should) be other/better security mechanisms working their way through the standardization and implementation processes. As a practical measure, I believe that a DHCP-supplied InitiatorName is needed because InitiatorName is required by many commercial iSCSI target servers. Michael _______________________________________________ Ips mailing list Ips@ietf.org https://www.ietf.org/mailman/listinfo/ips
- [Ips] no DHCP-assigned InitiatorName Michael Howard
- Re: [Ips] no DHCP-assigned InitiatorName Julian Satran
- Re: [Ips] no DHCP-assigned InitiatorName Michael Howard
- Re: [Ips] no DHCP-assigned InitiatorName Julian Satran
- Re: [Ips] no DHCP-assigned InitiatorName Michael Howard
- Re: [Ips] no DHCP-assigned InitiatorName Black_David
- [Ips] no DHCP-assigned InitiatorName: Procedural … Black_David
- Re: [Ips] no DHCP-assigned InitiatorName: Procedu… Michael Howard
- Re: [Ips] no DHCP-assigned InitiatorName Julian Satran
- Re: [Ips] no DHCP-assigned InitiatorName Michael Howard
- Re: [Ips] no DHCP-assigned InitiatorName Michael Howard
- Re: [Ips] no DHCP-assigned InitiatorName Shyam_Iyer
- Re: [Ips] no DHCP-assigned InitiatorName Michael Howard
- Re: [Ips] no DHCP-assigned InitiatorName G_Chawla
- Re: [Ips] no DHCP-assigned InitiatorName Shyam_Iyer
- Re: [Ips] no DHCP-assigned InitiatorName G_Chawla
- Re: [Ips] no DHCP-assigned InitiatorName Sivan Tal
- Re: [Ips] no DHCP-assigned InitiatorName Michael Howard