SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI and secure boot



    David,
    
    > Again this whole discussion is about how to reliably securely boot
    > iSCSI. This topic necessarily focuses on how to insure that the client
    > can be securely identified, thus using some sort of key that is
    > manageable.
    >
    > Finally I can't understand how the current proposal mucks with DHCP, it
    > uses the standard mechanisms. As described it specifies a new option code
    > which is a trivial thing to implement and it has also been proposed to
    > use existing option codes.  There is no invention here, and in fact it is
    > simpiler than specifying an LDAP schema.
    
    You are suggesting that two versions of iSCSI be created.  One that can
    exist within the lean environment within pre-boot and another within the OS
    of your choice.  I am not convinced that the prior version of iSCSI would be
    a wise investment for many reasons.
    
    If you have some difficulty with the manner in which the Wire-For-Management
    proposals work, perhaps you could address those points specifically.  At
    least it would come from a perspective that illustrates your concern as to
    why the Boot-Integrity-Service, Pre-Execution-Environment, and
    Wired-for-management solutions are not meeting the needs of enabling a
    secure boot.  I for one would like to understand your concern.
    
    The invention comes from redefining the purpose of DHCP options as a means
    of extracting the needed management functions which are then used in
    conjunction with embedded queries within the iSCSI transport.  As if iSCSI
    was not complex enough, placing this management function into the transport
    is where I am suggesting there is again over-reaching.  This is not a
    required approach nor one that takes advantage of available services.  In
    addition to that, a boot image would be far more stable using LDAP than to
    depend on the ability to modify DHCP to provide tailored responses for then
    interaction within iSCSI.  You seem to suggest that reinventing these
    services is easier than understanding what already exists.  This type of
    tailoring should be done using LDAP and not with DHCP or iSCSI or yet
    another new server service.
    
    Doug
    
    


Home

Last updated: Tue Sep 04 01:04:34 2001
6315 messages in chronological order