RE: Using HTTP proxies with iSCSI

["Jim Hafner/Almaden/IBM" <hafner@almaden.ibm.com>]

David,

If we find the need for something along these lines (i.e. that your option
(1) is NOT sufficient), then my proposed CONNECT has all the properties
you'd like. In particular, as with https, the proxy/gateway/intermediary is
NOT part of the iSCSI security context.   (It might be part of lower layer
security contexts like IPsec on its in and out connections, but that's not
relevant and is transparent to the iSCSI layer.)

Jim Hafner


Black_David@emc.com@ece.cmu.edu on 10-12-2000 06:08:01 AM

Sent by:  owner-ips@ece.cmu.edu


To:   csapuntz@cisco.com, ips@ece.cmu.edu
cc:
Subject:  RE: Using HTTP proxies with iSCSI



> Just a note for future reference (not meant to spark discussion)...
>
> HTTP has a way of de facto standard way of setting up TCP connections
through
> HTTP proxies. See the CONNECT verb in section 9.9 of RFC 2616 and
> the expired draft at:
>
>
http://www.alternic.org/drafts/drafts-l-m/draft-luotonen-web-proxy-tunneling

-01.html
>
> This mechanism could be used for iSCSI.
>
> This mechanism is in-band, in that it occurs on the same TCP connection,
> yet out-of-band, since it is iSCSI independent.

Almost, but not quite.  HTTP transits proxies by using absolute URLs that
contain the DNS hostname; the current direction is towards using absolute
URLs for everything, but they were originally only used for proxies.
CONNECT was invented for HTTPS (i.e., SSL/TLS) proxies where the hostname
is/would be encrypted, and proxy participation in the security relationship
between the browser and web server (which would allow the proxy to decrypt
the hostname) is undesirable.

--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------