SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: Naming & Discovery, MIB, SLP, Stringprep drafts



    On Sat, 1 Mar 2003, Mark Bakke wrote:
    
    > I've submitted updated drafts for Naming & Discovery,
    > iSCSI SLP, Stringprep, iSCSI MIB, and Auth MIB.  I
    > believe that these drafts address all outstanding
    > expert review and nit check comments.  Until they pop
    > out of the draft queue, they are available at:
    
    Mark,
    
    Did you find a resolution to the issue I raised in private EMail? I'll
    raise it here & now for everyone else to comment on.. :-)
    
    iSCSI-MIB (including -09.txt as best I can tell) doesn't have a way to
    specify to a node what AUTH entries it should use to authenticate itself,
    at least as I understand it.
    
    For instance, we can tell a target what auths initiators can use to access
    it, but we don't have a readily-obvious way to tell the target what auths
    to use to authenticate itself in mutual auth. Likewise,
    iscsiIntrAuthorization seems to contain what an initator would need to
    finish mutual CHAP (for instance), but not what the target will be
    expecting from the initiator. I've refered to these auths as "Self" auths
    for lack of a better term.
    
    If I've missed how to do this, please let me know!
    
    In an effort to offer solutions in addition to questions, I can think of
    two ways to address this at this point. Well really three.
    
    The least-desirable one would be to just not be able to configure self
    auths via snmp. Given that you can configure everything else, that seems
    like a poor choice.
    
    Choice 2: Add "iscsiIntrSelfAuthorization" and "iscsiTgtSelfAuthorization"
    (or SelfAuth..) and use them as iscsiIntrAuthorization and
    iscsiTgtAuthorization but for node authentication rather than
    authenticating the other side. Advantage: very clear what's going on.
    Disadvantage: means changing the MIB late in the game.
    
    Choice 3: Keep things as they are, but make a special case for auth
    entries that have the same name as the node they are tied to. For
    instance, an auth with a name of "iqn.2000-05.com.foo" in either the
    iscsiIntrAuthorization or iscsiTgtAuthorization tables for node
    "iqn.2000-05.com.foo" would actually be a self-auth, rather than an auth
    for a connecting node. Advantage: no change to the MIB. Disadvantage:
    special-case names can be confusing and non-intuitive.
    
    Take care,
    
    Bill
    


Home

Last updated: Mon Mar 10 14:19:15 2003
12412 messages in chronological order