RE: iSCSI: ISIDs

To: Michael Schoberg <michael_schoberg@cnt.com>
Subject: RE: iSCSI: ISIDs
From: "John Hufferd" <hufferd@us.ibm.com>
Date: Fri, 7 Sep 2001 10:50:27 -0700
Cc: ips@ece.cmu.edu
Content-type: text/plain; charset=us-ascii
Importance: Normal
Sender: owner-ips@ece.cmu.edu


During various meetings that we had as part of the Naming and Discovery
Team,  there was desire to have the same iSCSI Node Name  be used across
the Cluster, since it functions as a single logical OS.  It was thought
that the Cluster would then use static allocation to assign the ISID ranges
to the various members.

In this way the Cluster would have one Authentication Name (iSCSI Node
Name).  So the model we have today does extend across a Cluster.

Based on what I have seen on this thread, that approach (Sharing the iSCSI
Node Name across the Cluster, as a single  logical OS) still works even
with the TSID centric approach.

.
.
.
John L. Hufferd
Senior Technical Staff Member (STSM)
IBM/SSG San Jose Ca
Main Office (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
Home Office (408) 997-6136
Internet address: hufferd@us.ibm.com


Michael Schoberg <michael_schoberg@cnt.com>@ece.cmu.edu on 09/07/2001
09:49:17 AM

Sent by:  owner-ips@ece.cmu.edu


To:   ips@ece.cmu.edu
cc:
Subject:  RE: iSCSI: ISIDs



Ultimately, the detection of duplicate sessions has to occur on the target.
If we are not expecting initiators to retain the TSID (target assigned SID)
of any sort between reboots, then something totally initiator based may be
the only fit.  The recurring theme here is how to authenticate the passed
ISID & TSID.  What prevents HBA-B from saying it's HBA-A (or however you
want to word it)?  Putting session identification into the authentication
exchange (and NOT the login header) may be the only way to guarantee
detecting imposters.  If you want to guarantee security along with
recovery,
I think this would be the better place to begin.

It appears as though SID needs to act more like the Ethernet MAC address.
We want something that uniquely identifies the initiator whenever it logs
into a target (something larger than 16 bits).  This moves more towards
Marjorie's position that session identification should be pre-assigned to
initiators through configuration:

     ... an iSCSI HBA will have to have a configuration interface,
     supplied by the manufacturer, in order to be installed ...

I'm a little skeptical about the dual use of InitiatorName as part of the
session identification.  What prevents a pool of servers from sharing the
same user account credentials (which may be useful in reducing
administration overhead).  It's unlikely that a group of servers would ever
want to share the same session.  Something like "SessionId=" that is
pre-configured on each initiator might work better.

Prev by Date: RE: iSCSI: login issue - partial consensus call
Next by Date: RE: iSCSI: ISIDs
Prev by thread: Re: iSCSI: ISIDs
Next by thread: RE: iSCSI: ISIDs
Index(es):
- Date
- Thread

Home

Last updated: Fri Sep 07 15:17:13 2001
6435 messages in chronological order