SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: IKE and iSCSI Authentication



    
    David,
    Up to this point in time the item that we have put into the ACL was the
    iSCSI Initiator Node Name, NOT a UserID.  This is a new and different
    thought, and we need to completely understand the impact.
    
    We spent a great deal of time making sure that the iSCSI Initiator Node
    Name was unique in the world, and now we seem to only care about the
    UserID.  There is clearly something new or missing here in our thoughts.
    
    .
    .
    .
    John L. Hufferd
    Senior Technical Staff Member (STSM)
    IBM/SSG San Jose Ca
    Main Office (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
    Home Office (408) 997-6136
    Internet address: hufferd@us.ibm.com
    
    
    Black_David@emc.com@ece.cmu.edu on 08/31/2001 08:15:05 AM
    
    Sent by:  owner-ips@ece.cmu.edu
    
    
    To:   John Hufferd/San Jose/IBM@IBMUS
    cc:   ips@ece.cmu.edu
    Subject:  RE: IKE and iSCSI Authentication
    
    
    
    > I really did understand what it take to associate the iSCSI nitiator Name
    > with the UserID.  I said that an tight binding table was needed.  I also
    > said that you have to be sure that it is kept in sync with the
    > Installations User/Password Database/Directory.  You did not refute that,
    > just attempted to trivialize the relationship table that
    > needs to be built.
    >
    > We have never address this Table as part of iSCSI before, and it is
    > important that everyone understands this, and that we understand how it
    is
    > to be kept in sync with the installations User/Password Directory.  As
    part
    > of doing this, we need to really understand what directories prevent our
    > use of iSCSI Node Names, and which permit it.  We need to understand if
    it
    > is possible to have more then one UserID associated with a single iSCSI
    > Node Name, etc.
    
    John,
    
    The conventional name for this "Table" is an Access Control List (ACL).
    Between LUN masking/mapping and management products, this is already a
    familiar
    concept in storage systems.  If the number of targets is a concern, there
    are well-known ways to make ACLs scalable.  In practice, keeping ACLs in
    sync with the enterprise authentication system is not that difficult -
    only the userids appear in the ACLs, and hence they aren't changed when
    a password is changed because the password-related data is passed to an
    external server for verification.  Administration of userid changes can
    consume some time, but administrators of secure internal web sites seem
    to have mastered this.
    
    Thanks,
    --David
    
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    black_david@emc.com       Mobile: +1 (978) 394-7754
    ---------------------------------------------------
    
    
    
    


Home

Last updated: Tue Sep 04 01:03:48 2001
6315 messages in chronological order