|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: IKE and iSCSI AuthenticationDavid, Up to this point in time the item that we have put into the ACL was the iSCSI Initiator Node Name, NOT a UserID. This is a new and different thought, and we need to completely understand the impact. We spent a great deal of time making sure that the iSCSI Initiator Node Name was unique in the world, and now we seem to only care about the UserID. There is clearly something new or missing here in our thoughts. . . . John L. Hufferd Senior Technical Staff Member (STSM) IBM/SSG San Jose Ca Main Office (408) 256-0403, Tie: 276-0403, eFax: (408) 904-4688 Home Office (408) 997-6136 Internet address: hufferd@us.ibm.com Black_David@emc.com@ece.cmu.edu on 08/31/2001 08:15:05 AM Sent by: owner-ips@ece.cmu.edu To: John Hufferd/San Jose/IBM@IBMUS cc: ips@ece.cmu.edu Subject: RE: IKE and iSCSI Authentication > I really did understand what it take to associate the iSCSI nitiator Name > with the UserID. I said that an tight binding table was needed. I also > said that you have to be sure that it is kept in sync with the > Installations User/Password Database/Directory. You did not refute that, > just attempted to trivialize the relationship table that > needs to be built. > > We have never address this Table as part of iSCSI before, and it is > important that everyone understands this, and that we understand how it is > to be kept in sync with the installations User/Password Directory. As part > of doing this, we need to really understand what directories prevent our > use of iSCSI Node Names, and which permit it. We need to understand if it > is possible to have more then one UserID associated with a single iSCSI > Node Name, etc. John, The conventional name for this "Table" is an Access Control List (ACL). Between LUN masking/mapping and management products, this is already a familiar concept in storage systems. If the number of targets is a concern, there are well-known ways to make ACLs scalable. In practice, keeping ACLs in sync with the enterprise authentication system is not that difficult - only the userids appear in the ACLs, and hence they aren't changed when a password is changed because the password-related data is passed to an external server for verification. Administration of userid changes can consume some time, but administrators of secure internal web sites seem to have mastered this. Thanks, --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 435-1000 x75140 FAX: +1 (508) 497-8500 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Tue Sep 04 01:03:48 2001 6315 messages in chronological order |