[stgt] initiator-name discriminator for target binding

Or Gerlitz ogerlitz at voltaire.com
Thu Jun 4 17:03:16 CEST 2009


FUJITA Tomonori wrote:
> Hmm, an initiator box can change the name to log in a target illegally. I think that initiator-name-base binding doesn't mean strict security.
okay, yes, I guess names are easier to spoof then ip addresses, but I am 
not suggesting to remove the src ip from tgt ACL mechanism but rather 
make optionally to be src ip && iqn based.
> Why VMM can't just store the relationship between a guest and a target name? VMM can do without initiator names, I think. And I think that people usually do: a) each guest has the own IP address and runs the iscsi initiator. or b) VMM runs the initiator and create a file system (could be a SAN FS like vmfs) on it and give a file each guest.
I think that running the initiator from the guest isn't very uncommon 
e.g b/c it doesn't go well with live migration, but I will check on 
this. When the VMM runs the initiator, there are two schemes, one is 
based on cluster file system, and in this case I don't see much need for 
multiple initiator names for the same host, but the second scheme is 
just providing raw disk to the guest, and in this case, the target admin 
would need to assign lun per guest and a unique name would come into 
play. Such a scheme is called RDM (Raw Device Mapping) in vmware.

> Note that I'm not against the initiator-name binding. I just want to know how it can be useful.
ofcourse, I am here to respond.

Or.

--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the stgt mailing list