RE: iSNS zoning

To: "'ips@ece.cmu.edu '" <ips@ece.cmu.edu>
Subject: RE: iSNS zoning
From: Kevin Gibbons <kgibbons@NishanSystems.com>
Date: Sun, 17 Dec 2000 16:41:00 -0800
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

Wayland,
	Based on the documentation that I have, Brocade switches still
implement both soft and hard zoning, and hard zones can span fabric
switches.

	Hard zoning is done between fabric switch ports (i.e. switch 1 port
1, and switch 2 port 4).  Devices attached to those ports are then "hard"
zoned.  You do not specify individual initiator/target devices to be in a
hard zone, only fabric switch ports.  Enforcement is done at both the switch
and SNS query level.

	Soft zoning occurs when you specify an individual initiator or
target to be in a zone.  This is done by specifying either the node or port
world-wide name (WWN) of a device.  Enforcement is done at the SNS query
level.

	Both hard and soft zoning information is stored in the Fibre Channel
Directory and Management Service.  These are commonly called Fibre Channel
Generic Services.  This is documented as part of the T11 FC-GS-3 standard.
The current version is located at www.t11.org.  Some companies call their
implementation of this standard the "Simple Name Server".

	As Josh and you mention, with proper keying and access control, an
iSNS implementation should be able to provide a repository of
objects/information required to provide hard and soft zoning capabilities at
an individual initiator/target level.

	Regards, Kevin

-----Original Message-----
From: Wayland Jeong [mailto:wayland@troikanetworks.com]
Sent: Saturday, December 16, 2000 6:48 PM
To: 'Raghavendra Rao '; 'ips@ece.cmu.edu '
Subject: RE: iSNS zoning


[ stuff about iSNS zoning deleted ] 

> iSNS as currently defined is only a repository of information of the so 
> called zones. It has no way to prevent an authorised rogue iSCSI initiator

> from setting up a TCP connection with an iSCSI target. The best place to 
> implement security and access control is the iSCSI target itself. 
> 
There are two types of zoning that current FC switches implement. One is
hard zoning and the other is soft zoning. First generation Brocade switches
implemented soft zoning which simply hides things in the name server. There
is nothing preventing a rogue device from communicating with an un-zoned
target. Current generation switches implement hard zoning which is typically
a port-to-port kind of security. I'm actually not sure if a Brocade switch
can do hard/port zoning across switches (i.e. zoneCreate "0,0 ; 1,4").
Anyone know?

In any event, iSNS can hide things in the name server just like a soft zoned
fabric. Any level of hardware-based zoning would require a clever
"implementation" (there's that word again ;-> ) of an iFCP gateway.

I must admit, it is a bit difficult to discern where a specification ends
and an "implementation" begins.

Anyway, I hope this helps. 

> -JP 
> 
-Wayland

Prev by Date: Consideration of iFCP as WG item -- stepping aside during process.
Next by Date: iSCSI: retry
Prev by thread: RE: iSNS zoning
Next by thread: RE: iSNS and zoning
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:06:03 2001
6315 messages in chronological order