SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: iSCSI: CONNECT message (was Naming/Discovery/URLs)



    
    
    Jim,
    
    I am trying to understand your proposal - so please bear with me.
    
    You assume a topology like:
    
       a)   I---G1---G2---G3---T
    
    in which the iSCSI connection is made-up of a series of TCP links that pass
    through
    an ALG  or:
    
       b)  I----G1
              \-------------G2
               \----------------------G3
                \------------------------------------T
    
    
    Where the connection - after an initial phase - is not really handled by
    the gateway
    but passed-through.
    
    I would assume that the first topology is of little interest while the
    second is handled by the regular TCP open/connect.
    
    And if the first case is of major interest - what is in the Connect that
    the Login doesn't have?
    
    One additional item to consider is security - authenthication.
    
    Authentication will be handled between Login and the Login-Rsponse.
    
    You can then add authentication steps for every gateway.
    
    I assume that this is more difficult if you handle the connection building
    as a separate step.
    
    Julo
    
    
    
    "Jim Hafner/Almaden/IBM" <hafner@almaden.ibm.com> on 05/10/2000 00:57:19
    
    Please respond to "Jim Hafner/Almaden/IBM" <hafner@almaden.ibm.com>
    
    To:   ips@ece.cmu.edu
    cc:    (bcc: Julian Satran/Haifa/IBM)
    Subject:  iSCSI: CONNECT message (was Naming/Discovery/URLs)
    
    
    
    
    Folks,
    
    I want to chime in here with a couple of things (well, this is actually
    going to be long note with lots of things).  This is based on private
    discussions with a couple of people, including Daniel Smith (though I
    expect he doesn't agree with all this).
    
    There's a SUMMARY at the end, if you want to skip there and an appendix
    with some definitions.
    
    First off, I think Costa has hit one of the nails on the head, but I'd like
    to frame things a bit differently and make some specific proposals, pose
    some specific (and narrow) questions, move part of this
    naming/discovery/etc. issues to a different thread and preachify for a
    while (<soapbox>I can't help myself!</soapbox>).
    
    IMHO, the most important (and obvious) first step in getting an initiator
    and target together to talk SCSI is the establishment of a TCP connection
    (this has nothing, per se, to do with iSCSI as they can't do the login step
    until that is done).  Also, the *wire protocol* for this step is
    independent of management/naming/etc deployment.  This topic is another
    "can of worms" and I don't want to address that one.  So, here goes!
    
    I'm proposing a change to the iSCSI wire protocol that will enable the
    establishment of a TCP connection between the initiator and target through
    gateways/firewalls, etc.  Details below, but let's start with a question.
    
    QUESTION1: what information does an initiator need to make a connection to
    a target?
    
    ANSWER1: it needs at least an ipaddress to open the first connection. It
    also needs more, namely an identifier of the target itself, so the receiver
    at that ipaddress can tell if this is really for him or for someone else.
    So, the initiator needs a pair consisting of (ipaddress, TargetID).  [This
    agrees with Costa's "IP address model" paragraph and is what he calls a
    "target name".]  N.B. I specifically say ipaddress and not ipname (as I'm
    assuming that resolution has already taken place, one way or another).
    
    NOTE 1) I haven't addressed where this information comes from (see Note3
    below).
    
    PROPOSAL: the first step in iSCSI phase should be something like "CONNECT:
    TargetID".  The iSCSI login should only occur between the initiator and
    actual target, after a connection is established end-to-end.
    
    Here's how this works.  The initiator uses the ipaddress in the target name
    pair to open a TCP connection.  The first message on that connection is
    "CONNECT: TargetID".  This should be interpreted by the receiver as a
    request to establish a connection to the device defined by the TargetID (in
    the receiver's context).  If the receiver is not the target itself, it must
    be some gateway.  The gateway resolves the TargetID into another target
    name pair valid on the other side of the gateway.  The gateway then opens a
    connection to the new ipaddress and sends the "CONNECT: newTargetID"
    message.  This continues and propogates until the target name pair finally
    resolves to the target (that is, when the TargetID in the pair belongs to
    the same device as that of the ipaddress of the pair).  When the target is
    the recepient of the "CONNECT" message for itself, it responds "OK". This
    "OK" propogates back through each "hop" back to the initiator.  At this
    point, there is an established socket connection (perhaps through multiple
    intermediaries) from initiator to target.  Now the iSCSI login can start.
    
    This is analogous to the http GET protocol.  It's different in that each
    gateway provides a coupler between two socket connections and must maintain
    that state (or be able to reconstruct that state as a long as the "in"-end
    stays open.  Such couplers might have security filters, or other things
    which are an independent function of the gateway's two-ends.
    
    Let me put this in the context of the existing proposals. In the current
    drafts, the target name concept here
    
    a) maps to a URL containing some path information to the target (that is, a
    possibly unresolved ipname and path+query information -- the ipaddress in
    my target name pair is the "resolved" ipname of this URL; the TargetID is
    the rest of the URL).
    
    b) and is embedded in the Text portion of the login message (where it would
    have to be parsed in the login phase by the gateway). (This is assumed by
    Costa, I think.)
    
    So, I'm proposing then to move this "gateway/proxy/whatever"
    connection-intermediary process out of the iSCSI login and into a different
    message and as the first phase of the iSCSI wire protocol. It will be more
    generic for the gateway to deal with and the information will be available
    upfront, not buried in the bowels of the Text portion of the Login.
    [Aside: one might suggest that IETF formalize and generalize this sort of
    "CONNECT" protocol independent of iSCSI or http or any other protocol.  I'm
    not bitting that off here, but it is a thought...]
    
    QUESTION2: what form should the TargetID take?
    
    ANSWER2A: it should be human-readable (e.g., look like a URL).  This has
    some advtanges in that some gateways already can parse URLs in http GET
    messages, so there's not much extra work.
    
    ANSWER2B: it should be machine-parseable (e.g., a byte-structured set of
    fields).  This has its own advantages in  performance and possibly
    security.
    
    ANSWER2C: either one, so long as we have some bit in the wire protocol
    (header of the "CONNECT" packet?) that tells the gateway what parsing rules
    to apply to the TargetID.
    
    I have no strong bias between these choices, so I open that up for
    discussion.  My weak bias is for 2B as I think that might be simpler to
    implement in gateways.  That does require some serious thinking about
    structure of the fields, however.
    
    NOTE 2) the TargetID is a name that is valid in the name/address domain
    common to the initiator and the device at the end of the ipaddress (the
    gateway).  It may or may not get changed at the gateway.  That is, it is
    not necessarily globally unique (though it might contain something with
    this property). See QUESTION3.
    
    NOTE 3) how does the initiator (or even the gateway) get the (ipaddress,
    TargetID)? That's a management infrastructure issue.  That's NOT an iSCSI
    wire protocol, which is all I'm trying to discuss here.
    <soapbox> There are an infinite number of ways this might be done,
    including combinations of LDAP (or other directory service), DNS,
    S(scsi)NS, or anything a management implemention/deployment might choose.
    I'd suggest tabling that discussion for now.  It's not clear (to me) that
    this is an issue for this WG to deal with, at least for NOW.  E.g., it
    could very well be that the initiator gets it from a file or registry in
    the OS.  Does IETF want to spec this?</soapbox>
    
    QUESTION3: what's in a TargetID and what's NOT?
    
    ANSWER3: A TargetID contains a name (direct or indirect, globally unique or
    not) for the target device.   It is an open question what the contents of
    this TargetID should be.  The minimum requirement is that it have meaning
    to the receiver of the CONNECT message.
    <soapbox> It does NOT contain anything that involves LUs (or LUNs) or
    initiator identifiers, or authentication or ..... All of this additional
    information is not relevant to establishing the TCP connection.  That stuff
    (with the exception of LU information) might be very relevant for the login
    step, which comes later.  LU information is not relevant in this space at
    all. SCSI knows how to deal with LUs. </soapbox>
    
    QUESTION4:  What about 3rd party issues?
    
    ANSWER4: This is a multi-part answer.
    
    a) As already noted by others, the *only* important issue in this space is
    identifiers for 3rd party targets.  LU identifiers (LUNs or Proxy Tokens a
    la Access Controls in SCSI) are handled already by SCSI.
    
    b) the target identifier can be arbitrarily long if we assume that T10
    adopts some proposal for aliasing long identifiers to 8-byte identifiers
    used in third party copy commands like EXTENDED COPY and some of the XOR
    commands (as noted by Ralph Weber).
    
    c) within the SCSI third-party command formats (after resolving aliases),
    the target identifier should have meaning to the device to which the
    third-party command is directed.  So if initiator Ian wants the SCSI copy
    manager in target Tom to do stuff on target Tim, then Ian has to identify
    Tim to Tom using a target identifier valid from *Tom's perspective* (this
    may have no meaning at all for Ian).  Note that this target name may be FC
    name (as currently modeled in SCSI's EXTENDED COPY) or it might be an iSCSI
    target name pair (ipaddress, TargetID), or it might be a parallel SCSI bus
    address (if Tim and Tom are on the same bus).
    
    d) How Ian gets the information about Tom's view of Tim is, again IMHO, a
    management infrastructure issue (which I'm defering to another thread). In
    other words, it's not a function of the wire protocol or the SCSI protocol,
    per se.  There are things we might be able to do to facilitate this (see
    discussion point below about TargetID structure), but they belong in a
    separate thread.  Keep in mind that this very well might involve
    cross-transport issues.
    
    ----------------------------------------------------------------------
    SUMMARY:
    
    PROPOSAL: first step in iSCSI protocol is "CONNECT", not login. Once
    "CONNECT" is successful end-to-end (initiator to target), then the login
    can proceed.
    
    ADDITIONAL PROPOSAL: "CONNECT" responses could be one of
    a) "OK" (meaning the end-to-end connection has been established)
    b) "ERROR" (meaning somebody along the line couldn't establish their hop in
    the connection, for whatever reason)
    c) "REDIRECT" to a new target name pair (Costa suggests something like
    this, as well).
    
    DISCUSSION POINT: what form should the TargetID take (URL, structured-byte
    fields, combo)?  Should it contain some globally unique identifier of the
    target (if so, who owns that namespace, how is it discovered, and does it
    involve security exposures)? Should it contain hints on how to find an
    address (the next stop in the hop)? E.g., should it contain a context for
    another name server?  What can it contain to help with the third party
    problem (Ian getting Tom's context for Tim)?
    
    If there is general (or some) agreement that the main proposal here is a
    good idea, I'd be willing to propose a specific message format for the
    "CONNECT" protocol and response format.
    
    Can I suggest that discussion of the specifics of the CONNECT protocol come
    under this or a narrower discussion thread; discussion of the format of the
    TargetID come under a different thread (among those who generally go along
    with the CONNECT idea); and discussion of the "how does the initiator get
    the target name pair" go under a different thread (like Management or
    NameService)?
    
    ----------------------------------------------------------------------
    APPENDIX:
    Two definitiions:
    
    INITIATOR: a "SCSI Initiator Device". In the current T10 thinking, this is
    pretty much a physical port on the network which speaks IP and has SCSI
    command generator (i.e., application client).
    
    TARGET: a "SCSI Target Device". In the current T10 thinking, this is pretty
    much a collection of physical ports on the network, each speaking IP and
    each sharing a set of one or more SCSI logical units. That is, this can be
    a multi-ported device with multiple ipaddresses or names.
    
    N.B. both definitions are still under debate in T10.
    
    
    Jim Hafner
    
    
    
    
    


Home

Last updated: Tue Sep 04 01:06:50 2001
6315 messages in chronological order