RE: IKE and iSCSI Authentication

To: Black_David@emc.com
Subject: RE: IKE and iSCSI Authentication
From: "John Hufferd" <hufferd@us.ibm.com>
Date: Fri, 31 Aug 2001 14:11:40 -0700
Cc: ips@ece.cmu.edu
Content-type: text/plain; charset=us-ascii
Importance: Normal
Sender: owner-ips@ece.cmu.edu


David,
Up to this point in time the item that we have put into the ACL was the
iSCSI Initiator Node Name, NOT a UserID.  This is a new and different
thought, and we need to completely understand the impact.

We spent a great deal of time making sure that the iSCSI Initiator Node
Name was unique in the world, and now we seem to only care about the
UserID.  There is clearly something new or missing here in our thoughts.

.
.
.
John L. Hufferd
Senior Technical Staff Member (STSM)
IBM/SSG San Jose Ca
Main Office (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
Home Office (408) 997-6136
Internet address: hufferd@us.ibm.com


Black_David@emc.com@ece.cmu.edu on 08/31/2001 08:15:05 AM

Sent by:  owner-ips@ece.cmu.edu


To:   John Hufferd/San Jose/IBM@IBMUS
cc:   ips@ece.cmu.edu
Subject:  RE: IKE and iSCSI Authentication



> I really did understand what it take to associate the iSCSI nitiator Name
> with the UserID.  I said that an tight binding table was needed.  I also
> said that you have to be sure that it is kept in sync with the
> Installations User/Password Database/Directory.  You did not refute that,
> just attempted to trivialize the relationship table that
> needs to be built.
>
> We have never address this Table as part of iSCSI before, and it is
> important that everyone understands this, and that we understand how it
is
> to be kept in sync with the installations User/Password Directory.  As
part
> of doing this, we need to really understand what directories prevent our
> use of iSCSI Node Names, and which permit it.  We need to understand if
it
> is possible to have more then one UserID associated with a single iSCSI
> Node Name, etc.

John,

The conventional name for this "Table" is an Access Control List (ACL).
Between LUN masking/mapping and management products, this is already a
familiar
concept in storage systems.  If the number of targets is a concern, there
are well-known ways to make ACLs scalable.  In practice, keeping ACLs in
sync with the enterprise authentication system is not that difficult -
only the userids appear in the ACLs, and hence they aren't changed when
a password is changed because the password-related data is passed to an
external server for verification.  Administration of userid changes can
consume some time, but administrators of secure internal web sites seem
to have mastered this.

Thanks,
--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------

Prev by Date: Question about framing support
Next by Date: Re: iSCSI - Login changes and the latest agreements
Prev by thread: RE: IKE and iSCSI Authentication
Next by thread: iSCSI names on login - consensus call
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:03:48 2001
6315 messages in chronological order