|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: ISCSI: User authentication vs. Machine Authentication for iSCSI
Jim,
I'm not sure the problem you mentioned is specific to iSCSI as I have seen
a user-level Fibre Channel driver in action.
The issue here is that the notion of user is an operating system
abstraction and has no meaning in domains in which the
OS has no administrative control (such as a SAN). Extending
the notion of an user outside the domain of an OS requires
primitives current SAN technology does not support (yet!)
Prasenjit Sarkar
Research Staff Member
IBM Almaden Research
San Jose
Jim
Hafner/Almaden To: ips@ece.cmu.edu
/IBM@IBMUS cc:
Sent by: Subject: RE: ISCSI: User authentication vs. Machine Authentication for iSCSI
owner-ips@ece.
cmu.edu
08/29/2001
03:00 PM
Bill,
I think I understand your question, so here's a remark.
I think a problem that creeps in to the iSCSI space (that doesn't exist in
essentially every other existing SCSI stack) is that a user can write an
application that acts like an iSCSI initiator and never ever go through the
OS stack. (I've written an iSCSI initiator in Java that doesn't ever use
the host stack at all, just the standard network interfaces). So, I could
easily have multiple iSCSI Initiators running (even in user space) on the
same machine. At that point, I may want user level security.
If I didn't understand your question, I'll shut up (on this topic :-{))
Jim Hafner
"Bill Strahm" <bill@sanera.net>@ece.cmu.edu on 08/29/2001 02:23:20 pm
Sent by: owner-ips@ece.cmu.edu
To: <mbakke@cisco.com>
cc: "Ips@Ece. Cmu. Edu" <ips@ece.cmu.edu>
Subject: RE: ISCSI: User authentication vs. Machine Authentication for
iSCSI
I am not sure that helped. Again, the model of a Tape drive...
The user does not own the tape drive, the operating system owns the tape
drive, when I (as a user) wants to use the tape drive, I ask the operating
system, it grants me access, and I go on.
In fact from a purely SCSI level, I do not believe there is any concept of
a
user at all, the Operating system on the device provides the concept of a
user through the OS abstraction layer.
The problem that I am having is that I do not see how I can make user
security work through the OS abstraction. And if the OS HAS to know about
the multiple users, I now have to trust the OS as well, which means that
effectively I have one user on the machine anyway...
Bill
-----Original Message-----
From: mbakke@cisco.com [mailto:mbakke@cisco.com]
Sent: Wednesday, August 29, 2001 2:06 PM
To: Bill Strahm
Cc: Ips@Ece. Cmu. Edu
Subject: Re: ISCSI: User authentication vs. Machine Authentication for
iSCSI
Bill Strahm wrote:
>
> I have been fighting with this problem since I left LA.
>
> I am not aware of any usage scenarios today where block devices are owned
by
> the user rather than the machine. I will conceed that in many instances
the
> first thing the system does is assign the resource to a use (tape,
scanner,
> etc.) but the machine still owns the resource and can in fact remove it
out
> from under the user...
>
> I am not to certain how I could build a trusted iSCSI environment where
one
> user would have no knowledge about what was happening with other users in
a
> malicious environment (especially where a system was participating in the
> exposure of resourses). Examples of this include things like co-located
Web
> hosting where a single user scans process memory looking for 1Kbit of
random
> data, and when finding it attempts to determine if that is the private
key
> of a user sharing the resource.
>
> The reason I am bringing this up, is I am not sure trying to define
security
> above the machine level makes any sense for iSCSI. Aren't most SCSI
devices
> owned by the Operating System not the User and partitioned out by the
> Operating System to the users ? If this is the case many of our
> authentication methods simplify to simple IKE identities.
>
> Bill
Bill-
As you pointed out, there is a case where just using IKE with
an iSCSI AuthMethod of "none" is valid. That case is where:
- There a one-to-one correspondence between an initiator and an
operating system
- IPsec is being used for all iSCSI traffic
- The customer is willing to deploy public key certificates on the
client side (for each initiator) as well as on the devices
If all of the above are true, iSCSI can certainly use an AuthMethod
of none, and be done with it.
However,
- There are cases (David Black brought up some tape applications) where
more than one initiator might exist on an operating system
- IPsec is not likely to be used for a large percentage of iSCSI
traffic any time soon
- When IPsec is used, many customers will have an easier time with the
familiar model of authenticating the server "machine" but using a
dummy certificate for the client.
If any of the above are true, iSCSI-level of authentication is
required.
Hope this helps,
Mark
Home Last updated: Tue Sep 04 01:03:51 2001 6315 messages in chronological order |