Re: iSCSI MIB - comments on iscsiAccessList

To: Keith McCloghrie <kzm@cisco.com>
Subject: Re: iSCSI MIB - comments on iscsiAccessList
From: Mark Bakke <mbakke@cisco.com>
Date: Thu, 01 Nov 2001 12:05:02 -0600
CC: ips@ece.cmu.edu
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <200111011716.JAA25752@cisco.com>
Sender: owner-ips@ece.cmu.edu

Keith McCloghrie wrote:
> 
> I have some questions/suggestions regarding iscsiAccessList
> in draft-ietf-ips-iscsi-mib-03.txt.
> 
> > 6.9.  iscsiAccessList
> >
> >    The iscsiAccessListAttributesTable contains an entry for each
> >    initiator that is allowed to access the target under which it
> >    appears.  If a target allows access to any initiator, an
> >    AccessListAttributesEntry with the initiator's iSCSI name should be
> >    used.
> 
> I think the last sentence is
> 
> a) confusing (do you mean "any initiator" ?) and

No.  I meant "any particular initiator"; this was badly worded.

> b) may not always be true - with a wildcard mechanism ("iscsi" in the next
>    paragaph), an initiator's name does not have to be in the table, right ?

Yes.  That is correct.

> >    This table does not cover all possible access control schemes that a
> >    vendor could implement.  If access to an initiator cannot be
> >    determined just by its iSCSI name, an implementation may either
> >    include a single entry per target with the initiator name "iscsi", or
> >    may choose to place no entries in this table.
> 
> Does no entries in the table allow any initiator access, or does it
> deny access to all initiators ?

I think that we need to decide that here.  It was originally intended
to mean that all initiators are allowed, but since we have a way to
say that by putting in "iscsi", I think that it should mean either that
all initiators are denied, or that the access list mechanism in the
MIB is not enough to determine whether or not an initiator will
be granted access.  I would tend toward the latter; if there are no
access list entries for a target, it means that there is not enough
information to tell who gets to access it from this MIB.  Implementations
that provide value-add access control can augment this MIB with their
own enterprise MIBs for access control.

I would like to re-word this to:

   ... The value "iscsi" in an access list entry means that any
   initiator may access this target.  If a target has no entries
   in the access list attributes table, it means that there is
   not enough information here to determine whether or not an
   initiator will be granted access.

> > iscsiAccessListAttributesTable OBJECT-TYPE
> >     SYNTAX        SEQUENCE OF IscsiAccessListAttributesEntry
> >     MAX-ACCESS    not-accessible
> >     STATUS        current
> >     DESCRIPTION
> >         "A list of iSCSI initiators which will be granted access
> >         to iSCSI resources through targets within the iSCSI
> >         instance."
> 
> Can you say explicitly:
> 
> - what does no entries in the table mean, and
> - how does the wildcard entry (an entry with name="iscsi") work.

OK.

> > ...
> >
> > iscsiALInitiatorName OBJECT-TYPE
> >     SYNTAX        SnmpAdminString
> >     MAX-ACCESS    read-only
> >     STATUS        current
> >     DESCRIPTION
> >         "An octet string that defines an initiator identified
> >      by the <InitiatorName> key of the Login Command which will
> >      be granted access. If this string has the value of 'iscsi',
> >      then any initiator may access this target."
> > ::= { iscsiAccessListAttributesEntry 2 }
> 
> If you intend that an entry of "iscsi" means that "any initiator
> name is allowed", then I think it's a little strange that a special
> meaning applies to a name that an administrator might just happen to
> use without realising it.

"iscsi" is a reserved initiator name value, and must not be assigned
to an initiator or target by an adminstrator or manufacturer.  There
should be no problems with using it here.

> 
> Here are three alternatives which I think are better:
> 
> 1. have a column in the iscsiTargetAttributesTable which enables/disables
>    the use of the access-list.  (Then, disabling has the same function as
>    "icsci" entry.)

This is probably the cleanest; an implementation that does not do
access lists would not have to implement the access list part of
the MIB at all.

> 2. have the zero-length name allow access to any name; (this is a special
>    case of #3 below.)
> 
> 3. have an additional column, iscsiALInitiatorMatchType, which is an
>    INTEGER { exact(1), prefix(2) } where 'exact' is the type you currently
>    have, and 'prefix' says that longer initiator names will match
>    if they can be truncated to the value of iscsiALInitiatorName.
> 
> Keith.

-- 
Mark A. Bakke
Cisco Systems
mbakke@cisco.com
763.398.1054

Follow-Ups:
- Re: iSCSI MIB - comments on iscsiAccessList
  - From: "Mark A. Carlson" <mark.carlson@sun.com>
- Re: iSCSI MIB - comments on iscsiAccessList
  - From: Keith McCloghrie <kzm@cisco.com>

References:
- iSCSI MIB - comments on iscsiAccessList
  - From: Keith McCloghrie <kzm@cisco.com>

Prev by Date: Re: iSCSI: iSCSI Rev 8
Next by Date: Re: iSCSI MIB - comments on iscsiAccessList
Prev by thread: iSCSI MIB - comments on iscsiAccessList
Next by thread: Re: iSCSI MIB - comments on iscsiAccessList
Index(es):
- Date
- Thread

Home

Last updated: Thu Nov 01 14:17:33 2001
7512 messages in chronological order