[stgt] authentication by initiator's name
FUJITA Tomonori
fujita.tomonori at lab.ntt.co.jp
Fri Jun 17 08:31:22 CEST 2011
On Fri, 17 Jun 2011 15:17:34 +0900
Shuko Yasumoto <yasumoto.shuko at jp.fujitsu.com> wrote:
> > I think that malicious users can forge initiator names. How this
> > feature can be useful?
>
> I understand that initiator names can be changed easily so security
> of this feature might poor than IP authentication.
> But the case " malicious users can forge initiator names " can protect
> by combination with CHAP authentication and my idea is providing this
> feature in addition to IP authentication.
>
> I think the usage of this feature is same as IP authentication
> but there is only difference in the following usage.
>
> Usage : There is a server which has multiple NICs, user must check
> which IP is connected to targets and then register one IP
> to targets.
> If this feature is available, user just register an initiator
> name instead.
> Based on RFC 3721, I think initiator name is useful for this
> purpose.
> ===
> An iSCSI Name is a location-independent, permanent identifier for
> an iSCSI node. An iSCSI node has one iSCSI name, which stays
> constant for the life of the node. The terms "initiator name"
> and "target name" also refer to an iSCSI name.
> ===
>
> Background for this proposal is:
> - Above usage.
> - Many storage vendors use the feature, authentication by initiator name.
>
> I highly appreciate if you give me comments on this.
I see. Can you send a patch in the proper format (in Linux kernel
style, see doc/README)? Then I can review and merge it.
Thanks,
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the stgt
mailing list