[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Google
  Web www.spinics.net

Re: no DHCP-assigned InitiatorName



CbCS is a technology for which there is little to no current product
support.  As a security technology, it does not strike me as a good
solution to the issue that Michael raises, which is basically an
automatic configuration issue.

Thanks,
--David
----------------------------------------------------
David L. Black, Distinguished Engineer
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953             FAX: +1 (508) 293-7786
black_david@xxxxxxx        Mobile: +1 (978) 394-7754
----------------------------------------------------


From: ips-bounces@xxxxxxxx [mailto:ips-bounces@xxxxxxxx] On Behalf Of Julian Satran
Sent: Monday, September 22, 2008 9:29 AM
To: Michael Howard
Cc: Sivan Tal; ips@xxxxxxxx
Subject: Re: no DHCP-assigned InitiatorName

Michael,

I think that some of the OSs have the initiator name wired into the image and boot providers will have to set this name.
I am not sure how what exactly is required for each version.
The boot RFC defines where the image comes from but very little else.

Sivan may give you a pointer to CbCS.

Regards,
Julo




From: Michael Howard <michael.howard@xxxxxxxxxxx>
To: Julian Satran/Haifa/IBM@IBMIL
Cc: ips@xxxxxxxx
Date: 09/22/2008 09:19
Subject: Re: no DHCP-assigned InitiatorName







Julian Satran wrote:
> Michael - I am not sure what you are looking for? A standard parameter
> as those described by the iBOOT RFC?

Yes, I am looking for a specific DHCP parameter that defines what
InitiatorName is to be used by the iSCSI boot client.

It seems to me that the purpose of RFC4173 was/is to allow stateless
clients to boot. The target parameters that are specified in RFC4173 are
necessary, but not sufficient. On many commercial iSCSI target servers
you must have the InitiatorName in order to be able to log in to the
target. This is the case for NetApp and SANRAD, and I strongly for many
others.

> In any case the initiator name is not the only way to control what a
> server will access.
>
> CbCS (stands for Credential Based Command Security) available for any
> SCSI device at the SCSI layer (see the T10 site) is probably
> safer/better and does not depend on things that can be so easy faked by
> an initiator as the initiator name and may be easier to deploy.

This is not something that I am familiar with ...

*** 10 minutes later ***

I could find no reference to CbCS or Command Based Command Security at
the NetApp support site now.netapp.com

A quick search at
www.t10.org didn't turn anything up either ... I'll
keep looking.


There may (and should) be other/better security mechanisms working their
way through the standardization and implementation processes.

As a practical measure, I believe that a DHCP-supplied InitiatorName is
needed because InitiatorName is required by many commercial iSCSI target
servers.


Michael



_______________________________________________
Ips mailing list
Ips@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ips

[IETF]     [Linux iSCSI]     [Linux SCSI]     [Linux Resources]     [Yosemite News]     [IETF Announcements]     [IETF Discussion]     [SCSI]

Add to Google Powered by Linux