|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSNS and zoningJP, The iSNS specifies the name server only. It is not the role of the iSNS to enforce the zoning, only to store the zoning configuration. As you pointed out, in order to obtain the equivalent of Fibre Channel zoning functionality, the iSNS clients must implement the capability to enforce the zoning configurations that they learn about from the iSNS. iSNS clients include targets, initiators, management stations, and possibly even switches. Zoning capability is a result of implementing the enforcement capability in the appropriate iSNS clients. For example, a switch can download IP address- defined zones from the iSNS and configure its ACL's so that only properly authorized initiators at the identified IP addresses can access its directly-attached targets. Another example would be a target which self-enforces the zoning configuration that it learns about from the iSNS. First, it downloads from the iSNS a list of zoned initiators identified by WWUI, which are allowed to access that target. Optionally, this can also include the public key of each of those initiators. When an iSCSI initiator attempts to log into that client, the target will refuse the login unless the WWUI's match. If spoofing of WWUI's is a concern, then the public key obtained from the iSNS can be used to verify the identity of the initiator. Josh > -----Original Message----- > From: jp.raghavendra@sun.com [mailto:jp.raghavendra@sun.com] > Sent: Thursday, December 14, 2000 10:51 PM > To: ips@ece.cmu.edu > Subject: iSNS and zoning > > > > > In looking at iSNS draft, I get the impression that the zoning service as currently defined is a poor mimicking of its Fibre Channel counter part. In FC fabric, the switch has several mechanisms to prevent an N/NL_Port from unauthorised/unintended accesses, since it is part of the access path. However, with iSNS, which could be a stand alone name server, I'm having hard time understanding how this storage name server could enforce the claims made in the draft, such as: a) > 3.1.3 Network Zoning Service > .... snip .... > The Network Zoning Service implements the functionality to support > grouping of iSNS client devices into domains for administrative and > access control purposes. > .... b) > 4.3 Zone Object > > .... snip .... > Zoning is a security and management mechanism used to partition > storage resources. Zoning prevents initiators from potentially > logging in to every possible target during device discovery. > .... iSNS as currently defined is only a repository of information of the so called zones. It has no way to prevent an authorised rogue iSCSI initiator from setting up a TCP connection with an iSCSI target. The best place to implement security and access control is the iSCSI target itself. -JP
Home Last updated: Tue Sep 04 01:06:03 2001 6315 messages in chronological order |