Re: iSCSI and secure boot

[David Robinson <David.Robinson@sun.com>]

> You should review information regarding the two step process for booting.
> http://www.intel.com/ial/wfm/tools/bis/
> http://www.intel.com/ial/wfm/wfmspecs.htm
> 
> You seem confused about the way keys are created.  You also suggest to have
> TFTP replaced with iSCSI suggesting something as complex as iSCSI is easily
> coded in a primative boot environment.  That makes little sense if the goal
> to to minimize the amount of support required and would not likely interest
> system or network adapter manufactures.

Again it appears that we are talking about two different things, so this
will
be my last comment on this thread. I am aware of the Intel boot
initiatives.
I was not suggesting that we require a full iSCSI in PROM, just using it
as an
example that the problem of secure keying exists regardless of the
protocol
used, from the trivial TFTP to the complex iSCSI. That said, someone
will
eventually put a full iSCSI initiator into PROM.

> > No, it is not the issue of updating the boot image, but updating the
> > keys
> > that doesn't scale.
> 
> Again, what problem are you attempting to solve?  I know of no system that
> does not require some initial setup.  The problems you are concerned with
> are being addressed.  I would endorse only using stable protocols in this
> boot process and is the reason for using LDAP versus mucking with DHCP and
> placing management functions within the iSCSI transport.

Again this whole discussion is about how to reliably securely boot
iSCSI. This
topic necessarily focuses on how to insure that the client can be
securely
identified, thus using some sort of key that is manageable.

Finally I can't understand how the current proposal mucks with DHCP, it
uses
the standard mechanisms. As described it specifies a new option code
which
is a trivial thingto implement and it has also been proposed to use
existing
option codes.  There is no invention here, and in fact it is simpiler
than
specifying an LDAP schema.

	-David