SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    iSCSI: Authorization Model for the iSCSI MIB


    • To: IPS <ips@ece.cmu.edu>
    • Subject: iSCSI: Authorization Model for the iSCSI MIB
    • From: Mark Bakke <mbakke@cisco.com>
    • Date: Tue, 22 Jan 2002 15:20:21 -0600
    • Content-Transfer-Encoding: 7bit
    • Content-Type: text/plain; charset=us-ascii
    • Sender: owner-ips@ece.cmu.edu

    
    One of the open items for the iSCSI MIB was to be
    able to display and configure information about the
    various authorization schemes available in the iSCSI
    protocol.
    
    An iSCSI target can allow access to an iSCSI initiator
    based on several things:
    
    - iSCSI initiator name
    - iSCSI initiator address
    - SRP or CHAP username
    - Kerberos
    - Public key certificates
    
    The iSCSI MIB team has developed a UML model of the additions
    to the iSCSI MIB that will support these things.
    
    This model defines a "user" (meaning a host, cluster, application,
    whatever counts as the "user" of iSCSI) identity, which is
    composed of initiator names, address ranges, credentials (user
    names), and accepted certificates.  The model allows the user
    identity to consist of a reasonable set of these attributes,
    without getting too complicated and dragging us into the
    policy swamp.
    
    Instead of including initiator names in the current access list
    entries, we would add a RowPointer attribute that would point
    to the user identity that the target would accept.  This way,
    user identities do not live under targets, and can be used
    by more than one target.
    
    This model is best understood by way of examples, which are
    included.  Page 1 of the drawing is the current iSCSI
    MIB.  Page 2 includes the iscsiInstance and iscsiTarget objects
    from the iSCSI MIB, with the remainder of the objects added
    for this authorization model.  As usual, the last page includes
    a key for those who have not been exposed to the slightly
    simplified version of UML that we are using.
    
    The best way to look at this model (on page 2) is:
    
    1. Read the use case on the lower left.
    
    2. Look at the UML.
    
    3. Read the solution to the use case on the lower right.
    
    4. Look at the UML again.
    
    Note that specific attributes to handle SRP, public keys, and
    Kerberos have not yet been fully defined; we wanted to make
    sure the model was structurally sound first.
    
    This model will serve in place of an internet-draft with the
    MIB changes for the interim meeting, since at this point, the
    discussion of the model is more important than the discussion
    of the individual MIB attributes.
    
    The model (pdf) is available at:
    
    ftp://ftpeng.cisco.com/mbakke/ips/iscsi-mib/Visio-ietf-iscsi-uml-model-03-access.pdf
    
    The next steps are to look at whether the same model, or a
    generalization thereof, can or should be used to configure
    an iSCSI initiator, and how far to take this model in terms
    of allowing configuration via SNMP.
    
    Enjoy,
    
    -- 
    Mark A. Bakke
    Cisco Systems
    mbakke@cisco.com
    763.398.1054
    


Home

Last updated: Tue Jan 22 17:17:57 2002
8431 messages in chronological order