SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Security Use Requirements



    > I think it might help to explicitly define what you mean by "correct".
    > For example, it might be possible for the iSCSI target to control
    > access to LUNs based on characteristics of the certs negotiated
    > in IKE, and characteristics of the IPSEC SA. However, I wouldn't
    > suggest that something like this (which requires more advanced
    > APIs than are generally available) is required or even
    > generally useful.
    
    The more important problem is one level closer to the network.
    iSCSI envisions and allows multiple targets behind a single IP
    address and TCP port.  The targets are named (via WWUIs) in a
    fashion that neither IPsec nor TLS can be expected to understand
    natively (and I strongly agree with the comment about not
    changing IKE being the preferred course).  Bernard's comments
    about linking iSCSI identity or proof of identity to IPSec are
    along the lines of what needs to be done here.
    
    We should stay away from individual LUN access issues, for
    two reasons:
    (1) They're in T10's domain and T10 is working on them.
    (2) There really aren't any standard ways to do this sort of thing
    	currently deployed in the Fibre Channel world, yet.
    Some words on how to accomplish this by using a (virtual) target per
    initiator or group of initiators whose access privileges need to be
    distinguished would be worth including as an example, but such
    an approach probably should not be required.
    
    --David
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    black_david@emc.com       Mobile: +1 (978) 394-7754
    ---------------------------------------------------
    
    


Home

Last updated: Tue Sep 04 01:05:32 2001
6315 messages in chronological order