|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Security Use Requirements> I think it might help to explicitly define what you mean by "correct". > For example, it might be possible for the iSCSI target to control > access to LUNs based on characteristics of the certs negotiated > in IKE, and characteristics of the IPSEC SA. However, I wouldn't > suggest that something like this (which requires more advanced > APIs than are generally available) is required or even > generally useful. The more important problem is one level closer to the network. iSCSI envisions and allows multiple targets behind a single IP address and TCP port. The targets are named (via WWUIs) in a fashion that neither IPsec nor TLS can be expected to understand natively (and I strongly agree with the comment about not changing IKE being the preferred course). Bernard's comments about linking iSCSI identity or proof of identity to IPSec are along the lines of what needs to be done here. We should stay away from individual LUN access issues, for two reasons: (1) They're in T10's domain and T10 is working on them. (2) There really aren't any standard ways to do this sort of thing currently deployed in the Fibre Channel world, yet. Some words on how to accomplish this by using a (virtual) target per initiator or group of initiators whose access privileges need to be distinguished would be worth including as an example, but such an approach probably should not be required. --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 435-1000 x75140 FAX: +1 (508) 497-8500 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Tue Sep 04 01:05:32 2001 6315 messages in chronological order |