RE: iSNS zoning

[Wayland Jeong <wayland@troikanetworks.com>]

[ stuff about iSNS zoning deleted ] 

> iSNS as currently defined is only a repository of information of the so 
> called zones. It has no way to prevent an authorised rogue iSCSI initiator

> from setting up a TCP connection with an iSCSI target. The best place to 
> implement security and access control is the iSCSI target itself. 
> 
There are two types of zoning that current FC switches implement. One is
hard zoning and the other is soft zoning. First generation Brocade switches
implemented soft zoning which simply hides things in the name server. There
is nothing preventing a rogue device from communicating with an un-zoned
target. Current generation switches implement hard zoning which is typically
a port-to-port kind of security. I'm actually not sure if a Brocade switch
can do hard/port zoning across switches (i.e. zoneCreate "0,0 ; 1,4").
Anyone know?

In any event, iSNS can hide things in the name server just like a soft zoned
fabric. Any level of hardware-based zoning would require a clever
"implementation" (there's that word again ;-> ) of an iFCP gateway.

I must admit, it is a bit difficult to discern where a specification ends
and an "implementation" begins.

Anyway, I hope this helps. 

> -JP 
> 
-Wayland