SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: ISCSI: User authentication vs. Machine Authentication for iSCSI



    Hi Bill:
    
    Everything you say is right, up to a point. The functionality envisioned is
    a virtualization environment in which the operating system, acting on behalf
    of a user, instantiates an initiator entity at the bottom of the O/S driver
    stack.  That entity in turn, may be logged into a virtualized storage
    environment created specifically for that user. Afterwords, all i/o directed
    to that initiator is controlled by the standard O/S mechanisms.
    
    All this is analogous to plugging in a new hardware HBA. The powerful
    feature in this case is the ability to totally control the 'HBA's' view of
    the storage network.
    
    Charles 
    > -----Original Message-----
    > From: Bill Strahm [mailto:bill@sanera.net]
    > Sent: Wednesday, August 29, 2001 2:23 PM
    > To: mbakke@cisco.com
    > Cc: Ips@Ece. Cmu. Edu
    > Subject: RE: ISCSI: User authentication vs. Machine Authentication for
    > iSCSI
    > 
    > 
    > I am not sure that helped.  Again, the model of a Tape drive...
    > 
    > The user does not own the tape drive, the operating system 
    > owns the tape
    > drive, when I (as a user) wants to use the tape drive, I ask 
    > the operating
    > system, it grants me access, and I go on.
    > 
    > In fact from a purely SCSI level, I do not believe there is 
    > any concept of a
    > user at all, the Operating system on the device provides the 
    > concept of a
    > user through the OS abstraction layer.
    > 
    > The problem that I am having is that I do not see how I can make user
    > security work through the OS abstraction.  And if the OS HAS 
    > to know about
    > the multiple users, I now have to trust the OS as well, which 
    > means that
    > effectively I have one user on the machine anyway...
    > 
    > Bill
    > 
    > -----Original Message-----
    > From: mbakke@cisco.com [mailto:mbakke@cisco.com]
    > Sent: Wednesday, August 29, 2001 2:06 PM
    > To: Bill Strahm
    > Cc: Ips@Ece. Cmu. Edu
    > Subject: Re: ISCSI: User authentication vs. Machine Authentication for
    > iSCSI
    > 
    > 
    > Bill Strahm wrote:
    > >
    > > I have been fighting with this problem since I left LA.
    > >
    > > I am not aware of any usage scenarios today where block 
    > devices are owned
    > by
    > > the user rather than the machine.  I will conceed that in 
    > many instances
    > the
    > > first thing the system does is assign the resource to a use (tape,
    > scanner,
    > > etc.) but the machine still owns the resource and can in 
    > fact remove it
    > out
    > > from under the user...
    > >
    > > I am not to certain how I could build a trusted iSCSI 
    > environment where
    > one
    > > user would have no knowledge about what was happening with 
    > other users in
    > a
    > > malicious environment (especially where a system was 
    > participating in the
    > > exposure of resourses).  Examples of this include things 
    > like co-located
    > Web
    > > hosting where a single user scans process memory looking 
    > for 1Kbit of
    > random
    > > data, and when finding it attempts to determine if that is 
    > the private key
    > > of a user sharing the resource.
    > >
    > > The reason I am bringing this up, is I am not sure trying to define
    > security
    > > above the machine level makes any sense for iSCSI.  Aren't most SCSI
    > devices
    > > owned by the Operating System not the User and partitioned 
    > out by the
    > > Operating System to the users ?  If this is the case many of our
    > > authentication methods simplify to simple IKE identities.
    > >
    > > Bill
    > 
    > Bill-
    > 
    > As you pointed out, there is a case where just using IKE with
    > an iSCSI AuthMethod of "none" is valid.  That case is where:
    > 
    > - There a one-to-one correspondence between an initiator and an
    >   operating system
    > - IPsec is being used for all iSCSI traffic
    > - The customer is willing to deploy public key certificates on the
    >   client side (for each initiator) as well as on the devices
    > 
    > If all of the above are true, iSCSI can certainly use an AuthMethod
    > of none, and be done with it.
    > 
    > However,
    > 
    > - There are cases (David Black brought up some tape 
    > applications) where
    >   more than one initiator might exist on an operating system
    > 
    > - IPsec is not likely to be used for a large percentage of iSCSI
    >   traffic any time soon
    > 
    > - When IPsec is used, many customers will have an easier time with the
    >   familiar model of authenticating the server "machine" but using a
    >   dummy certificate for the client.
    > 
    > If any of the above are true, iSCSI-level of authentication is
    > required.
    > 
    > Hope this helps,
    > 
    > Mark
    > 
    


Home

Last updated: Tue Sep 04 01:03:51 2001
6315 messages in chronological order