[stgt] authentication by initiator's name
Shuko Yasumoto
yasumoto.shuko at jp.fujitsu.com
Fri Jun 17 08:17:34 CEST 2011
Hi,
Thank you for your response.
> I think that malicious users can forge initiator names. How this
> feature can be useful?
I understand that initiator names can be changed easily so security
of this feature might poor than IP authentication.
But the case " malicious users can forge initiator names " can protect
by combination with CHAP authentication and my idea is providing this
feature in addition to IP authentication.
I think the usage of this feature is same as IP authentication
but there is only difference in the following usage.
Usage : There is a server which has multiple NICs, user must check
which IP is connected to targets and then register one IP
to targets.
If this feature is available, user just register an initiator
name instead.
Based on RFC 3721, I think initiator name is useful for this
purpose.
===
An iSCSI Name is a location-independent, permanent identifier for
an iSCSI node. An iSCSI node has one iSCSI name, which stays
constant for the life of the node. The terms "initiator name"
and "target name" also refer to an iSCSI name.
===
Background for this proposal is:
- Above usage.
- Many storage vendors use the feature, authentication by initiator name.
I highly appreciate if you give me comments on this.
Best Regards,
Hisashi Osanai (from coleague's email)
On Fri, 17 Jun 2011 01:28:22 +0900
FUJITA Tomonori <fujita.tomonori at lab.ntt.co.jp> wrote:
> On Thu, 16 Jun 2011 15:10:09 +0900
> Shuko Yasumoto <yasumoto.shuko at jp.fujitsu.com> wrote:
>
> > Dear developers,
> >
> > # My colleague tried to send the following email several times
> > # but it didn't work and he could't find out the reason so I send
> > # this email on behalf of him (Hisashi Osanai).
> >
> > I would like to have the following command option "--initiator-name"
> > in addition to the option "--initiator-address" to realize not show targets
> > to initiators by initiators' names (iqn).
> >
> > --lld <driver> --mode target --op bind --tid <id> --initiator-address
> > <address> [--initiator-name <name>]
> > --lld <driver> --mode target --op unbind --tid <id> {--initiator-address
> > <address> | --initiator-name <name>}
> >
> > What do you think the necessity of this function?
>
> I think that malicious users can forge initiator names. How this
> feature can be useful?
> --
> To unsubscribe from this list: send the line "unsubscribe stgt" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the stgt
mailing list