Re: Naming & Discovery, MIB, SLP, Stringprep drafts

To: Mark Bakke <mbakke@cisco.com>
Subject: Re: Naming & Discovery, MIB, SLP, Stringprep drafts
From: wrstuden@wasabisystems.com
Date: Fri, 7 Mar 2003 15:08:05 +0000 (UTC)
Cc: IPS <ips@ece.cmu.edu>
Content-Type: TEXT/PLAIN; charset=US-ASCII
In-Reply-To: <3E618654.95015523@cisco.com>
References: <3E618654.95015523@cisco.com>
Sender: owner-ips@ece.cmu.edu

On Sat, 1 Mar 2003, Mark Bakke wrote:

> I've submitted updated drafts for Naming & Discovery,
> iSCSI SLP, Stringprep, iSCSI MIB, and Auth MIB.  I
> believe that these drafts address all outstanding
> expert review and nit check comments.  Until they pop
> out of the draft queue, they are available at:

Mark,

Did you find a resolution to the issue I raised in private EMail? I'll
raise it here & now for everyone else to comment on.. :-)

iSCSI-MIB (including -09.txt as best I can tell) doesn't have a way to
specify to a node what AUTH entries it should use to authenticate itself,
at least as I understand it.

For instance, we can tell a target what auths initiators can use to access
it, but we don't have a readily-obvious way to tell the target what auths
to use to authenticate itself in mutual auth. Likewise,
iscsiIntrAuthorization seems to contain what an initator would need to
finish mutual CHAP (for instance), but not what the target will be
expecting from the initiator. I've refered to these auths as "Self" auths
for lack of a better term.

If I've missed how to do this, please let me know!

In an effort to offer solutions in addition to questions, I can think of
two ways to address this at this point. Well really three.

The least-desirable one would be to just not be able to configure self
auths via snmp. Given that you can configure everything else, that seems
like a poor choice.

Choice 2: Add "iscsiIntrSelfAuthorization" and "iscsiTgtSelfAuthorization"
(or SelfAuth..) and use them as iscsiIntrAuthorization and
iscsiTgtAuthorization but for node authentication rather than
authenticating the other side. Advantage: very clear what's going on.
Disadvantage: means changing the MIB late in the game.

Choice 3: Keep things as they are, but make a special case for auth
entries that have the same name as the node they are tied to. For
instance, an auth with a name of "iqn.2000-05.com.foo" in either the
iscsiIntrAuthorization or iscsiTgtAuthorization tables for node
"iqn.2000-05.com.foo" would actually be a self-auth, rather than an auth
for a connecting node. Advantage: no change to the MIB. Disadvantage:
special-case names can be confusing and non-intuitive.

Take care,

Bill

References:
- Naming & Discovery, MIB, SLP, Stringprep drafts
  - From: Mark Bakke <mbakke@cisco.com>

Prev by Date: Re: I-D ACTION:draft-ietf-ips-iscsi-boot-09.txt
Next by Date: IP Storage (ips) WG San Francisco Agenda
Prev by thread: Naming & Discovery, MIB, SLP, Stringprep drafts
Next by thread: Last-minute iSNS -18 clarification changes
Index(es):
- Date
- Thread

Home

Last updated: Mon Mar 10 14:19:15 2003
12412 messages in chronological order