[stgt] authentication by initiator's name

Shuko Yasumoto yasumoto.shuko at jp.fujitsu.com
Fri Jun 17 08:17:34 CEST 2011 

Hi,

Thank you for your response.

> I think that malicious users can forge initiator names. How this
> feature can be useful?

I understand that initiator names can be changed easily so security 
of this feature might poor than IP authentication.
But the case " malicious users can forge initiator names " can protect 
by combination with CHAP authentication and my idea is providing this 
feature in addition to IP authentication.

I think the usage of this feature is same as IP authentication 
but there is only difference in the following usage.

Usage  : There is a server which has multiple NICs, user must check 
         which IP is connected to targets and then register one IP 
         to targets.
         If this feature is available, user just register an initiator 
         name instead.
         Based on RFC 3721, I think initiator name is useful for this 
         purpose.
         ===
         An iSCSI Name is a location-independent, permanent identifier for 
         an iSCSI node.  An iSCSI node has one iSCSI name, which stays 
         constant for the life of the node.  The terms "initiator name" 
         and "target name" also refer to an iSCSI name.
         ===

Background for this proposal is:
- Above usage.
- Many storage vendors use the feature, authentication by initiator name.

I highly appreciate if you give me comments on this.

Best Regards,
Hisashi Osanai (from coleague's email)

On Fri, 17 Jun 2011 01:28:22 +0900
FUJITA Tomonori <fujita.tomonori at lab.ntt.co.jp> wrote:

> On Thu, 16 Jun 2011 15:10:09 +0900
> Shuko Yasumoto <yasumoto.shuko at jp.fujitsu.com> wrote:
> 
> > Dear developers,
> > 
> > # My colleague tried to send the following email several times
> > # but it didn't work and he could't find out the reason so I send 
> > # this email on behalf of him (Hisashi Osanai).
> > 
> > I would like to have the following command option "--initiator-name" 
> > in addition to the option "--initiator-address" to realize not show targets
> > to initiators by initiators' names (iqn).
> > 
> > --lld <driver> --mode target --op bind --tid <id> --initiator-address
> > <address> [--initiator-name <name>] 
> > --lld <driver> --mode target --op unbind --tid <id> {--initiator-address
> > <address> | --initiator-name <name>}
> > 
> > What do you think the necessity of this function? 
> 
> I think that malicious users can forge initiator names. How this
> feature can be useful?
> --
> To unsubscribe from this list: send the line "unsubscribe stgt" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

More information about the stgt mailing list