RE: iSNS and zoning

[Joshua Tseng <jtseng@NishanSystems.com>]

JP,

The iSNS specifies the name server only.  It is not the role of the
iSNS to enforce the zoning, only to store the zoning configuration.
As you pointed out, in order to obtain the equivalent of Fibre Channel
zoning functionality, the iSNS clients must implement the capability
to enforce the zoning configurations that they learn about from the
iSNS.

iSNS clients include targets, initiators, management stations,
and possibly even switches.  Zoning capability is a result of 
implementing the enforcement capability in the appropriate iSNS
clients.  For example, a switch can download IP address-
defined zones from the iSNS and configure its ACL's so that only
properly authorized initiators at the identified IP addresses can 
access its directly-attached targets.

Another example would be a target which self-enforces the zoning
configuration that it learns about from the iSNS.  First, it downloads
from the iSNS a list of zoned initiators identified by WWUI, which are
allowed to access that target.  Optionally, this can also include the 
public key of each of those initiators.  When an iSCSI initiator
attempts to log into that client, the target will refuse the login
unless the WWUI's match.  If spoofing of WWUI's is a concern, then
the public key obtained from the iSNS can be used to verify the
identity of the initiator.

Josh


> -----Original Message-----
> From: jp.raghavendra@sun.com [mailto:jp.raghavendra@sun.com]
> Sent: Thursday, December 14, 2000 10:51 PM
> To: ips@ece.cmu.edu
> Subject: iSNS and zoning 
> 
> 
> >
> 
In looking at iSNS draft, I get the impression that the zoning service 
as currently defined is a poor mimicking of its Fibre Channel counter
part. In FC fabric, the switch has several mechanisms to prevent an
N/NL_Port from unauthorised/unintended accesses, since it is part of
the access path. However, with iSNS, which could be a stand alone name
server, I'm having hard time understanding how this storage name server
could enforce the claims made in the draft, such as:

a)
	> 3.1.3    Network Zoning Service

	> .... snip ....
    	> The Network Zoning Service implements the functionality to support
    	> grouping of iSNS client devices into domains for administrative
and
    	> access control purposes.
	> .... 

b)
	> 4.3      Zone Object
	>
	> .... snip ....
    	> Zoning is a security and management mechanism used to partition
    	> storage resources.  Zoning prevents initiators from potentially
	> logging in to every possible target during device discovery.
	> ....

iSNS as currently defined is only a repository of information of the so
called zones. It has no way to prevent an authorised rogue iSCSI initiator
from setting up a TCP connection with an iSCSI target. The best place to
implement security and access control is the iSCSI target itself.


-JP