[stgt] authentication by initiator's name

FUJITA Tomonori fujita.tomonori at lab.ntt.co.jp
Fri Jun 17 08:31:22 CEST 2011


On Fri, 17 Jun 2011 15:17:34 +0900
Shuko Yasumoto <yasumoto.shuko at jp.fujitsu.com> wrote:

> > I think that malicious users can forge initiator names. How this
> > feature can be useful?
> 
> I understand that initiator names can be changed easily so security 
> of this feature might poor than IP authentication.
> But the case " malicious users can forge initiator names " can protect 
> by combination with CHAP authentication and my idea is providing this 
> feature in addition to IP authentication.
> 
> I think the usage of this feature is same as IP authentication 
> but there is only difference in the following usage.
> 
> Usage  : There is a server which has multiple NICs, user must check 
>          which IP is connected to targets and then register one IP 
>          to targets.
>          If this feature is available, user just register an initiator 
>          name instead.
>          Based on RFC 3721, I think initiator name is useful for this 
>          purpose.
>          ===
>          An iSCSI Name is a location-independent, permanent identifier for 
>          an iSCSI node.  An iSCSI node has one iSCSI name, which stays 
>          constant for the life of the node.  The terms "initiator name" 
>          and "target name" also refer to an iSCSI name.
>          ===
> 
> Background for this proposal is:
> - Above usage.
> - Many storage vendors use the feature, authentication by initiator name.
> 
> I highly appreciate if you give me comments on this.

I see. Can you send a patch in the proper format (in Linux kernel
style, see doc/README)? Then I can review and merge it.

Thanks,

--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the stgt mailing list