SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    iSCSI MIB - comments on iscsiAccessList


    • To: ips@ece.cmu.edu
    • Subject: iSCSI MIB - comments on iscsiAccessList
    • From: Keith McCloghrie <kzm@cisco.com>
    • Date: Thu, 1 Nov 2001 09:16:18 -0800 (PST)
    • Content-Transfer-Encoding: 7bit
    • Content-Type: text/plain; charset=us-ascii
    • Sender: owner-ips@ece.cmu.edu

    I have some questions/suggestions regarding iscsiAccessList
    in draft-ietf-ips-iscsi-mib-03.txt.
     
    > 6.9.  iscsiAccessList
    > 
    >    The iscsiAccessListAttributesTable contains an entry for each
    >    initiator that is allowed to access the target under which it
    >    appears.  If a target allows access to any initiator, an
    >    AccessListAttributesEntry with the initiator's iSCSI name should be
    >    used.
    
    I think the last sentence is 
    
    a) confusing (do you mean "any initiator" ?) and 
    b) may not always be true - with a wildcard mechanism ("iscsi" in the next
       paragaph), an initiator's name does not have to be in the table, right ?
    
    >    This table does not cover all possible access control schemes that a
    >    vendor could implement.  If access to an initiator cannot be
    >    determined just by its iSCSI name, an implementation may either
    >    include a single entry per target with the initiator name "iscsi", or
    >    may choose to place no entries in this table.
     
    Does no entries in the table allow any initiator access, or does it
    deny access to all initiators ?
    
    > iscsiAccessListAttributesTable OBJECT-TYPE
    >     SYNTAX        SEQUENCE OF IscsiAccessListAttributesEntry
    >     MAX-ACCESS    not-accessible
    >     STATUS        current
    >     DESCRIPTION
    >         "A list of iSCSI initiators which will be granted access
    >         to iSCSI resources through targets within the iSCSI
    >         instance."
    
    Can you say explicitly:
    
    - what does no entries in the table mean, and
    - how does the wildcard entry (an entry with name="iscsi") work. 
    
    > ...
    > 
    > iscsiALInitiatorName OBJECT-TYPE
    >     SYNTAX        SnmpAdminString
    >     MAX-ACCESS    read-only
    >     STATUS        current
    >     DESCRIPTION
    >         "An octet string that defines an initiator identified
    >      by the <InitiatorName> key of the Login Command which will
    >      be granted access. If this string has the value of 'iscsi',
    >      then any initiator may access this target."
    > ::= { iscsiAccessListAttributesEntry 2 }
     
    If you intend that an entry of "iscsi" means that "any initiator
    name is allowed", then I think it's a little strange that a special
    meaning applies to a name that an administrator might just happen to
    use without realising it.
    
    Here are three alternatives which I think are better:
    
    1. have a column in the iscsiTargetAttributesTable which enables/disables
       the use of the access-list.  (Then, disabling has the same function as
       "icsci" entry.)
    
    2. have the zero-length name allow access to any name; (this is a special
       case of #3 below.)
    
    3. have an additional column, iscsiALInitiatorMatchType, which is an
       INTEGER { exact(1), prefix(2) } where 'exact' is the type you currently
       have, and 'prefix' says that longer initiator names will match
       if they can be truncated to the value of iscsiALInitiatorName.
    
    Keith.
    
    


Home

Last updated: Thu Nov 01 14:17:33 2001
7512 messages in chronological order