SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI: Stand alone SAN network configuration change notice.



    > If you feel ICMP is off the table, then consider this suggestion as a
    > general signaling mechanism using UDP.
    
    Like SNMP Notifications?  I'd suggest looking there as one possibility.
    
    > Although the affected programs may
    > be at the application level, the change notification would be changes in
    > assignments or function within the physical networks through a SAN bridge,
    > router or switch.  The suggestion that I made included notice and reply to
    > overcome your delivery concern.
    
    In other words, a new reliable delivery mechanism.  That's not likely to
    make it through the transport ADs.
    
    > If you look at RFC2521 (1999 experimental)
    > you will see ICMP used to signal security failures.
    
    That's for IPsec, which is layer 3, whereas all the IPS protocols are layer
    5.
    The fact that this can be made to work doesn't make it a good design
    decision from an architectural standpoint.
    
    > As the server and the
    > SAN network is likely inside the firewall, there should be few such issues
    > related to ICMP for this type of signaling concerning IPSec and may be
    > viewed as a feature.
    
    Definitely a bad design assumption.  IPS protocols will almost certainly
    run over VPN links that are implemented by IPSec security gateways,
    and ICMP has a poor track record of interaction with such gateways.
    
    >  I have no trouble
    > looking elsewhere such as UDP but I must say I do not agree with your
    > conclusions.  Considering such a signaling mechanism may impact the
    various
    > transports if such signaling is standardized, reflector bandwidth should
    not
    > be a major concern to resolve if changing existing network services are
    the
    > best solution or if a more general and simpler scheme may be of greater
    > utility.
    
    In case I'm not making myself clear - I have no problem with work on
    notification issues and use of the reflector to explore solutions (e.g.,
    see my previous comments on iSNS's ability to handle this).  My issue
    is solely with ICMP - extending it is not an appropriate approach to this
    area and hence I am strongly advising the WG to look elsewhere.
    
    Considering Doug's past complaint that:
    
    	It would seem that IPS can do anything out of the architectural norm
    they
    		desire
    
    I'm quite surprised to find Doug pushing something that is clearly
    "out of the architectural norm".  Do I need to get out a bigger
    clue-by-four?
    
    --David
    
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    black_david@emc.com       Mobile: +1 (978) 394-7754
    ---------------------------------------------------
    
    


Home

Last updated: Tue Sep 04 01:04:25 2001
6315 messages in chronological order