SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSNS and zoning



    JP,
    
    The iSNS specifies the name server only.  It is not the role of the
    iSNS to enforce the zoning, only to store the zoning configuration.
    As you pointed out, in order to obtain the equivalent of Fibre Channel
    zoning functionality, the iSNS clients must implement the capability
    to enforce the zoning configurations that they learn about from the
    iSNS.
    
    iSNS clients include targets, initiators, management stations,
    and possibly even switches.  Zoning capability is a result of 
    implementing the enforcement capability in the appropriate iSNS
    clients.  For example, a switch can download IP address-
    defined zones from the iSNS and configure its ACL's so that only
    properly authorized initiators at the identified IP addresses can 
    access its directly-attached targets.
    
    Another example would be a target which self-enforces the zoning
    configuration that it learns about from the iSNS.  First, it downloads
    from the iSNS a list of zoned initiators identified by WWUI, which are
    allowed to access that target.  Optionally, this can also include the 
    public key of each of those initiators.  When an iSCSI initiator
    attempts to log into that client, the target will refuse the login
    unless the WWUI's match.  If spoofing of WWUI's is a concern, then
    the public key obtained from the iSNS can be used to verify the
    identity of the initiator.
    
    Josh
    
    
    > -----Original Message-----
    > From: jp.raghavendra@sun.com [mailto:jp.raghavendra@sun.com]
    > Sent: Thursday, December 14, 2000 10:51 PM
    > To: ips@ece.cmu.edu
    > Subject: iSNS and zoning 
    > 
    > 
    > >
    > 
    In looking at iSNS draft, I get the impression that the zoning service 
    as currently defined is a poor mimicking of its Fibre Channel counter
    part. In FC fabric, the switch has several mechanisms to prevent an
    N/NL_Port from unauthorised/unintended accesses, since it is part of
    the access path. However, with iSNS, which could be a stand alone name
    server, I'm having hard time understanding how this storage name server
    could enforce the claims made in the draft, such as:
    
    a)
    	> 3.1.3    Network Zoning Service
    
    	> .... snip ....
        	> The Network Zoning Service implements the functionality to support
        	> grouping of iSNS client devices into domains for administrative
    and
        	> access control purposes.
    	> .... 
    
    b)
    	> 4.3      Zone Object
    	>
    	> .... snip ....
        	> Zoning is a security and management mechanism used to partition
        	> storage resources.  Zoning prevents initiators from potentially
    	> logging in to every possible target during device discovery.
    	> ....
    
    iSNS as currently defined is only a repository of information of the so
    called zones. It has no way to prevent an authorised rogue iSCSI initiator
    from setting up a TCP connection with an iSCSI target. The best place to
    implement security and access control is the iSCSI target itself.
    
    
    -JP
    
    
    


Home

Last updated: Tue Sep 04 01:06:03 2001
6315 messages in chronological order