|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI: ISIDsDuring various meetings that we had as part of the Naming and Discovery Team, there was desire to have the same iSCSI Node Name be used across the Cluster, since it functions as a single logical OS. It was thought that the Cluster would then use static allocation to assign the ISID ranges to the various members. In this way the Cluster would have one Authentication Name (iSCSI Node Name). So the model we have today does extend across a Cluster. Based on what I have seen on this thread, that approach (Sharing the iSCSI Node Name across the Cluster, as a single logical OS) still works even with the TSID centric approach. . . . John L. Hufferd Senior Technical Staff Member (STSM) IBM/SSG San Jose Ca Main Office (408) 256-0403, Tie: 276-0403, eFax: (408) 904-4688 Home Office (408) 997-6136 Internet address: hufferd@us.ibm.com Michael Schoberg <michael_schoberg@cnt.com>@ece.cmu.edu on 09/07/2001 09:49:17 AM Sent by: owner-ips@ece.cmu.edu To: ips@ece.cmu.edu cc: Subject: RE: iSCSI: ISIDs Ultimately, the detection of duplicate sessions has to occur on the target. If we are not expecting initiators to retain the TSID (target assigned SID) of any sort between reboots, then something totally initiator based may be the only fit. The recurring theme here is how to authenticate the passed ISID & TSID. What prevents HBA-B from saying it's HBA-A (or however you want to word it)? Putting session identification into the authentication exchange (and NOT the login header) may be the only way to guarantee detecting imposters. If you want to guarantee security along with recovery, I think this would be the better place to begin. It appears as though SID needs to act more like the Ethernet MAC address. We want something that uniquely identifies the initiator whenever it logs into a target (something larger than 16 bits). This moves more towards Marjorie's position that session identification should be pre-assigned to initiators through configuration: ... an iSCSI HBA will have to have a configuration interface, supplied by the manufacturer, in order to be installed ... I'm a little skeptical about the dual use of InitiatorName as part of the session identification. What prevents a pool of servers from sharing the same user account credentials (which may be useful in reducing administration overhead). It's unlikely that a group of servers would ever want to share the same session. Something like "SessionId=" that is pre-configured on each initiator might work better.
Home Last updated: Fri Sep 07 15:17:13 2001 6435 messages in chronological order |