RE: Selectively exposing Porgal Groups to Initiators

To: "'Rahul Bhagwat'" <rahulb@veritas.com>
Subject: RE: Selectively exposing Porgal Groups to Initiators
From: "John Hufferd" <hufferd@us.ibm.com>
Date: Wed, 21 Nov 2001 12:42:33 -0800
Cc: ips@ece.cmu.edu, "KRUEGER,MARJORIE (HP-Roseville,ex1)" <marjorie_krueger@hp.com>
Content-type: text/plain; charset=us-ascii
Importance: Normal
Sender: owner-ips@ece.cmu.edu


Rahul,
Marjorie's answers are correct, but you might want to be very careful with
your terms.  Your point three talks about limiting Portal Groups to
specific Initiators.  I am concerned about your use of the words iSCSI
Target, which could apply to a couple of different things.

In a Target Network Entity there can be more then one iSCSI Target Node
(SCSI Device).  Each Target Node can have more then one iSCSI (SCSI) Target
Port connected to it.  Part of the name of this iSCSI (SCSI) Target Port
includes the Portal Group Tag.  So if, in your point 3, the term iSCSI
Target meant iSCSI Target Node, then you would be able to set up different
iSCSI (SCSI) Target Ports (each with different Portal Group Tags) that can
access the resources at the same iSCSI Target Node.  The ACL would then
probably be applied at the iSCSI (SCSI) Target Port.

To be sure we are on the same page here, please reference the charts that
have been placed at:

http://www.haifa.il.ibm.com/satran/ips/iSCSIConfigurationExamples.pdf

(Note: I use the term iSCSI (SCSI) Port to represent the concept of "SCSI
Port" within the context of iSCSI.)

.
.
.
John L. Hufferd
Senior Technical Staff Member (STSM)
IBM/SSG San Jose Ca
Main Office (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
Home Office (408) 997-6136, Cell: (408) 499-9702
Internet address: hufferd@us.ibm.com


"KRUEGER,MARJORIE (HP-Roseville,ex1)" <marjorie_krueger@hp.com>@ece.cmu.edu
on 11/21/2001 11:11:45 AM

Sent by:  owner-ips@ece.cmu.edu


To:   "'Rahul Bhagwat'" <rahulb@veritas.com>, ips@ece.cmu.edu
cc:
Subject:  RE: Selectively exposing Porgal Groups to Initiators



> 1. Is it required that TargetAddresses of an iSCSI target advertised to a
>    directory service include portal group tag ?

Yes, information is necessary to communicate to the initiator which target
addresses can be used to form a multi-connection session.

> 2. Is it mandatory for an Initiator to use "SendTargets" to discover
>    TargetAddress for an iSCSI target (even if if has a set of addresses
>    either statically configured or found through a directory service)?

To my knowledge no iSCSI document has declared it mandatory, but it's
recommended to ensure the initiator has current addressing information for
this target.

> 3. Is it okay to restrict access to an Initiator (based on it's iSCSI
name)
>    to only a subset of total Target Portal Groups supported by the iSCSI
>    target?

Yes

>
> In this scenario, an Initiator may find out the TargetAddresses for an
iSCSI
> target using a directory service, and try to connect a normal operational
> session to any of these addresses without using SendTargets. The
> iSCSI target can return an error code for login as "Initiator not
Authorized"
> which in fact is not
> completely true. Initiator is authorized to only use a subset
> of portal groups.

Correct, although "not completely true" is subjective.  Another perspective
is that this initiator is not authorized to use this *target port*, which
is
completely true.

Marjorie

Follow-Ups:
- RE: Selectively exposing Porgal Groups to Initiators
  - From: "Shailesh Manjrekar" <shaileshm@aarohicommunications.com>

Prev by Date: New version of TCU ULP Framing draft
Next by Date: iSCSI: 09 Draft TTT
Prev by thread: RE: Selectively exposing Porgal Groups to Initiators
Next by thread: RE: Selectively exposing Porgal Groups to Initiators
Index(es):
- Date
- Thread

Home

Last updated: Mon Nov 26 21:17:39 2001
7912 messages in chronological order