iSNS and zoning

To: ips@ece.cmu.edu
Subject: iSNS and zoning
From: jp.raghavendra@sun.com
Date: Fri, 15 Dec 2000 10:51:24 +0400
Content-Type: multipart/mixed;boundary="------------7A45432738A8D4B7E88D96F5"
References: <B300BD9620BCD411A366009027C21D9B071A8B@ariel.nishansystems.com>
Sender: owner-ips@ece.cmu.edu



In looking at iSNS draft, I get the impression that the zoning service 
as currently defined is a poor mimicking of its Fibre Channel counter
part. In FC fabric, the switch has several mechanisms to prevent an
N/NL_Port from unauthorised/unintended accesses, since it is part of
the access path. However, with iSNS, which could be a stand alone name
server, I'm having hard time understanding how this storage name server
could enforce the claims made in the draft, such as:

a)
	> 3.1.3    Network Zoning Service

	> .... snip ....
    	> The Network Zoning Service implements the functionality to support
    	> grouping of iSNS client devices into domains for administrative and
    	> access control purposes.
	> .... 

b)
	> 4.3      Zone Object
	>
	> .... snip ....
    	> Zoning is a security and management mechanism used to partition
    	> storage resources.  Zoning prevents initiators from potentially
	> logging in to every possible target during device discovery.
	> ....

iSNS as currently defined is only a repository of information of the so
called zones. It has no way to prevent an authorised rogue iSCSI initiator
from setting up a TCP connection with an iSCSI target. The best place to
implement security and access control is the iSCSI target itself.


-JP

References:
- RE: iFCP fabric attachments
  - From: Joshua Tseng <jtseng@NishanSystems.com>

Prev by Date: Re: iFCP fabric attachments
Next by Date: iSNS zoning
Prev by thread: RE: iFCP fabric attachments
Next by thread: Re:Conner (Seagate (Veritas?)) Patent
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:06:03 2001
6315 messages in chronological order