|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI and secure bootDavid, > Again this whole discussion is about how to reliably securely boot > iSCSI. This topic necessarily focuses on how to insure that the client > can be securely identified, thus using some sort of key that is > manageable. > > Finally I can't understand how the current proposal mucks with DHCP, it > uses the standard mechanisms. As described it specifies a new option code > which is a trivial thing to implement and it has also been proposed to > use existing option codes. There is no invention here, and in fact it is > simpiler than specifying an LDAP schema. You are suggesting that two versions of iSCSI be created. One that can exist within the lean environment within pre-boot and another within the OS of your choice. I am not convinced that the prior version of iSCSI would be a wise investment for many reasons. If you have some difficulty with the manner in which the Wire-For-Management proposals work, perhaps you could address those points specifically. At least it would come from a perspective that illustrates your concern as to why the Boot-Integrity-Service, Pre-Execution-Environment, and Wired-for-management solutions are not meeting the needs of enabling a secure boot. I for one would like to understand your concern. The invention comes from redefining the purpose of DHCP options as a means of extracting the needed management functions which are then used in conjunction with embedded queries within the iSCSI transport. As if iSCSI was not complex enough, placing this management function into the transport is where I am suggesting there is again over-reaching. This is not a required approach nor one that takes advantage of available services. In addition to that, a boot image would be far more stable using LDAP than to depend on the ability to modify DHCP to provide tailored responses for then interaction within iSCSI. You seem to suggest that reinventing these services is easier than understanding what already exists. This type of tailoring should be done using LDAP and not with DHCP or iSCSI or yet another new server service. Doug
Home Last updated: Tue Sep 04 01:04:34 2001 6315 messages in chronological order |