IETF Logo Mail Archive

Re: [Ips] no DHCP-assigned InitiatorName

Michael Howard <michael.howard@scalent.com> Mon, 22 September 2008 18:13 UTC

Return-Path: <ips-bounces@ietf.org>
X-Original-To: ips-archive@optimus.ietf.org
Delivered-To: ietfarch-ips-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CF3B628C104; Mon, 22 Sep 2008 11:13:48 -0700 (PDT)
X-Original-To: ips@core3.amsl.com
Delivered-To: ips@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7C74928C104 for <ips@core3.amsl.com>; Mon, 22 Sep 2008 11:13:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.712
X-Spam-Level:
X-Spam-Status: No, score=0.712 tagged_above=-999 required=5 tests=[AWL=0.360, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, IP_NOT_FRIENDLY=0.334, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E5rjK9fivyMc for <ips@core3.amsl.com>; Mon, 22 Sep 2008 11:13:46 -0700 (PDT)
Received: from mymail.scalent.com (69-233-57-200.ded.pacbell.net [69.233.57.200]) by core3.amsl.com (Postfix) with ESMTP id 4218828C127 for <ips@ietf.org>; Mon, 22 Sep 2008 11:13:46 -0700 (PDT)
Received: from exchange.scalent.central ([192.168.151.1]) by mymail.scalent.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 22 Sep 2008 11:13:40 -0700
Received: from [192.168.0.119] ([10.10.100.77]) by exchange.scalent.central with Microsoft SMTPSVC(6.0.3790.3959); Mon, 22 Sep 2008 11:13:39 -0700
Message-ID: <48D7E05D.3010507@scalent.com>
Date: Mon, 22 Sep 2008 14:13:49 -0400
From: Michael Howard <michael.howard@scalent.com>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: Sivan Tal <SIVANT@il.ibm.com>
References: <48D6F3EB.1080400@scalent.com> <OF51EB8C4B.4A802DE0-ON852574CC.003C9899-852574CC.003D1E7C@il.ibm.com> <48D79AA6.9040104@scalent.com> <OF2B1DCFAA.18C9A07A-ON852574CC.004985AD-852574CC.004A0FA1@LocalDomain> <OF0A82A218.3518FC7A-ON852574CC.005411EC-852574CC.005707CB@il.ibm.com>
In-Reply-To: <OF0A82A218.3518FC7A-ON852574CC.005411EC-852574CC.005707CB@il.ibm.com>
X-OriginalArrivalTime: 22 Sep 2008 18:13:39.0314 (UTC) FILETIME=[F0173520:01C91CDE]
Cc: ips@ietf.org, Julian Satran <Julian_Satran@il.ibm.com>
Subject: Re: [Ips] no DHCP-assigned InitiatorName
X-BeenThere: ips@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IP Storage <ips.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ips>, <mailto:ips-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/ips>
List-Post: <mailto:ips@ietf.org>
List-Help: <mailto:ips-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ips>, <mailto:ips-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: ips-bounces@ietf.org
Errors-To: ips-bounces@ietf.org

Thank you for the reference and explanation.

This looks like it may be useful down the road as the standard becomes 
adopted and commercial implementations become available.


Michael

Sivan Tal wrote:
> Michael,
> 
> CbCS (Capability-based Command Security) is part of the SPC-4 (SCSI Primary
> Commands) standard draft.
> The current version is in
> http://www.t10.org/ftp/t10/drafts/spc4/spc4r16.pdf
> Clause 5.14.6 described Command Security, and sub-clause 5.14.6.8 describes
> CbCS, which is currently the only SCSI command security technique.
> 
> Using CbCS, the initiator provides credential to the target that authorizes
> it to access the target logical unit. The credential does not contain an
> initiator identity and it is obtained from a trusted third party (security
> manager) and "signed" with HMAC (based on a symmetric key shared between
> the security manager and the target).  The credential (the Capability
> descriptor) contains a DISCRIMINATOR field that can be set in a "vendor
> specific" manner. One can use that field for initiator identifier. However,
> it should be noted that when using CbCS you don't need this for
> authorization. The access decision point is in the security manager and the
> access enforcement point is in the target device, based on the credential.
> The initiator authenticates only to the security manager, thus keeping the
> device simple. This is especially valuable in virtualized environments.
> 
> Sivan Tal
> IBM.
> 
> 
> 
> |------------>
> | From:      |
> |------------>
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
>   |Julian Satran/Haifa/IBM                                                                                                                           |
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |------------>
> | To:        |
> |------------>
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
>   |Michael Howard <michael.howard@scalent.com>                                                                                                       |
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |------------>
> | Cc:        |
> |------------>
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
>   |ips@ietf.org, Sivan Tal/Haifa/IBM@IBMIL                                                                                                           |
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |------------>
> | Date:      |
> |------------>
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
>   |09/22/2008 09:29 AM                                                                                                                               |
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |------------>
> | Subject:   |
> |------------>
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
>   |Re: [Ips] no DHCP-assigned InitiatorName                                                                                                          |
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
> 
> 
> 
> 
> Michael,]
> 
> I think that some of the OSs have the initiator name wired into the image
> and boot providers will have to set this name.
> I am not sure how what exactly is required for each version.
> The boot RFC defines where the image comes from but very little else.
> 
> Sivan may give you a pointer to CbCS.
> 
> Regards,
> Julo
> 
> 
> 
> 
> 
> |------------>
> | From:      |
> |------------>
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
>   |Michael Howard <michael.howard@scalent.com>                                                                                                       |
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |------------>
> | To:        |
> |------------>
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
>   |Julian Satran/Haifa/IBM@IBMIL                                                                                                                     |
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |------------>
> | Cc:        |
> |------------>
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
>   |ips@ietf.org                                                                                                                                      |
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |------------>
> | Date:      |
> |------------>
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
>   |09/22/2008 09:19                                                                                                                                  |
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |------------>
> | Subject:   |
> |------------>
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
>   |Re: [Ips] no DHCP-assigned InitiatorName                                                                                                          |
>   >--------------------------------------------------------------------------------------------------------------------------------------------------|
> 
> 
> 
> 
> 
> 
> 
> Julian Satran wrote:
>> Michael - I am not sure what you are looking for? A standard parameter
>> as those described by the iBOOT RFC?
> 
> Yes, I am looking for a specific DHCP parameter that defines what
> InitiatorName is to be used by the iSCSI boot client.
> 
> It seems to me that the purpose of RFC4173 was/is to allow stateless
> clients to boot. The target parameters that are specified in RFC4173 are
> necessary, but not sufficient. On many commercial iSCSI target servers
> you must have the InitiatorName in order to be able to log in to the
> target. This is the case for NetApp and SANRAD, and I strongly for many
> others.
> 
>> In any case the initiator name is not the only way to control what a
>> server will access.
>>
>> CbCS (stands for Credential Based Command Security) available for any
>> SCSI device at the SCSI layer (see the T10 site) is probably
>> safer/better and does not depend on things that can be so easy faked by
>> an initiator as the initiator name and may be easier to deploy.
> 
> This is not something that I am familiar with ...
> 
> *** 10 minutes later ***
> 
> I could find no reference to CbCS or Command Based Command Security at
> the NetApp support site now.netapp.com
> 
> A quick search at www.t10.org didn't turn anything up either ... I'll
> keep looking.
> 
> 
> There may (and should) be other/better security mechanisms working their
> way through the standardization and implementation processes.
> 
> As a practical measure, I believe that a DHCP-supplied InitiatorName is
> needed because InitiatorName is required by many commercial iSCSI target
> servers.
> 
> 
> Michael
> 
> 
> 
> 
> 
_______________________________________________
Ips mailing list
Ips@ietf.org
https://www.ietf.org/mailman/listinfo/ips

v2.23.0 | Report a Bug | By Email