RE: iSCSI and secure boot

To: "Bernard Aboba" <aboba@internaut.com>
Subject: RE: iSCSI and secure boot
From: "Douglas Otis" <dotis@sanlight.net>
Date: Thu, 31 May 2001 14:04:13 -0700
Cc: <julian_satran@il.ibm.com>, <ips@ece.cmu.edu>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;charset="iso-8859-1"
Importance: Normal
In-Reply-To: <Pine.BSF.4.21.0105310724090.52176-100000@internaut.com>
Sender: owner-ips@ece.cmu.edu

Bernard, Julian,

> > Can you describe a secure diskless boot that does not require individual
> > setup of each?
>
> Some touching of each PC is required. However, the question is whether:

It would be impossible to make a stable boot image that depended on revision
1 of a protocol about to hit the market.  As such, it is misguided to
consider using DHCP options to allow direct booting of iSCSI.  Once security
is considered, it becomes even more obvious that a two step process is
required to allow needed flexibility and manageability.  Once a management
scheme is selected that is suitable for an enterprise deployment, LDAP or
commercial equivalents are a good candidate.  Attempting to place this
management function on the iSCSI server complicates iSCSI and ensures no
common method of promulgating management.  In this respect, I differ from
the opinion of David Black.  David likes to construe an LDAP server as too
difficult and wishes to fulfill this management need with various other
inventions.

> a. The setup requires setup of multiple credentials, or just
> one. Note that BIS requires each PC to be configured with certificate of
> the boot image signing authority. However, this does not provide client
> authentication capabilities - so if you want to authenticate iSCSI or
> DHCP, or anything else, then you'd need additional credentials.

This second step could depend fully on TFTP and a DUA for LDAP.  This second
layer should divorce itself from iSCSI other than to establish an
environment suitable for individualized booting using iSCSI.  This seems
quite possible to implement and to promote as a reference implementation
once a schema is defined for LDAP.  It would not require changes to existing
system efforts but instead build upon them.  The goal would be to provide a
single simple boot that would *not* require change and yet allow the passing
of variables and images required for the evolution of iSCSI.  Just this
initial boot would be accommodated by the DHCP, TFTP, and booting system.
DHCP already provides a significant amount of flexibility.

> b. Whether *per-interface* credentials are needed (e.g. authenticated DHCP
> draft -16), or *per-machine*. Per-interface credentials require the
> machine to be touched every time an interface is added or removed, not
> just when the machine is shipped by the OEM.

LDAP could provide the needed database required to provide the correct
images in a highly flexible manner.  As this type of server is often a
critical server in an enterprise environment, it seems like a very safe
choice.  Julian's concern about not understanding this environment should
encourage the use of existing schemes rather than reinventing new ones.
Think of booting as a minimum of a two step process.  A simple secure image
coupled with information from a secure LDAP server to then obtain then next
step.  The only code that would need to be learned would be the DUA, and
TFTP.

Doug

Follow-Ups:
- Re: iSCSI and secure boot
  - From: David Robinson <David.Robinson@EBay.Sun.COM>

References:
- RE: iSCSI and secure boot
  - From: Bernard Aboba <aboba@internaut.com>

Prev by Date: iSNS Source Code
Next by Date: iSCSI rev. 7 status
Prev by thread: RE: iSCSI and secure boot
Next by thread: Re: iSCSI and secure boot
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:04:35 2001
6315 messages in chronological order