|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Naming & Discovery, MIB, SLP, Stringprep draftsOn Sat, 1 Mar 2003, Mark Bakke wrote: > I've submitted updated drafts for Naming & Discovery, > iSCSI SLP, Stringprep, iSCSI MIB, and Auth MIB. I > believe that these drafts address all outstanding > expert review and nit check comments. Until they pop > out of the draft queue, they are available at: Mark, Did you find a resolution to the issue I raised in private EMail? I'll raise it here & now for everyone else to comment on.. :-) iSCSI-MIB (including -09.txt as best I can tell) doesn't have a way to specify to a node what AUTH entries it should use to authenticate itself, at least as I understand it. For instance, we can tell a target what auths initiators can use to access it, but we don't have a readily-obvious way to tell the target what auths to use to authenticate itself in mutual auth. Likewise, iscsiIntrAuthorization seems to contain what an initator would need to finish mutual CHAP (for instance), but not what the target will be expecting from the initiator. I've refered to these auths as "Self" auths for lack of a better term. If I've missed how to do this, please let me know! In an effort to offer solutions in addition to questions, I can think of two ways to address this at this point. Well really three. The least-desirable one would be to just not be able to configure self auths via snmp. Given that you can configure everything else, that seems like a poor choice. Choice 2: Add "iscsiIntrSelfAuthorization" and "iscsiTgtSelfAuthorization" (or SelfAuth..) and use them as iscsiIntrAuthorization and iscsiTgtAuthorization but for node authentication rather than authenticating the other side. Advantage: very clear what's going on. Disadvantage: means changing the MIB late in the game. Choice 3: Keep things as they are, but make a special case for auth entries that have the same name as the node they are tied to. For instance, an auth with a name of "iqn.2000-05.com.foo" in either the iscsiIntrAuthorization or iscsiTgtAuthorization tables for node "iqn.2000-05.com.foo" would actually be a self-auth, rather than an auth for a connecting node. Advantage: no change to the MIB. Disadvantage: special-case names can be confusing and non-intuitive. Take care, Bill
Home Last updated: Mon Mar 10 14:19:15 2003 12412 messages in chronological order |