idnits 2.17.1 draft-ietf-dhc-isnsoption-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing document type: Expected "INTERNET-DRAFT" in the upper left hand corner of the first page ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. (A line matching the expected section header was found, but with an unexpected indentation: ' scope is the entire iSNS database. If' ) ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 176 instances of too long lines in the document, the longest one being 4 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 2002) is 7796 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? 'RFC2026' on line 462 looks like a reference -- Missing reference section? 'RFC2119' on line 465 looks like a reference -- Missing reference section? 'ISNS' on line 185 looks like a reference -- Missing reference section? 'DHCP' on line 459 looks like a reference -- Missing reference section? 'SEC-IPS' on line 483 looks like a reference Summary: 7 errors (**), 0 flaws (~~), 0 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DHC Working Group Josh Tseng 3 INTERNET DRAFT Kevin Gibbons 4 Expires: June 2003 Charles Monia 5 Internet Draft 6 Document: Nishan Systems 7 Category: Standards Track December 2002 9 DHCP Options for Internet Storage Name Service 11 Status of this Memo 13 This document is an Internet-Draft and is in full conformance with 14 all provisions of Section 10 of [RFC2026]. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. Internet-Drafts are draft documents valid for a maximum of 20 six months and may be updated, replaced, or made obsolete by other 21 documents at any time. It is inappropriate to use Internet- Drafts 22 as reference material or to cite them other than as "work in 23 progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 Comments 33 Comments should be sent to the IPS mailing list (ips@ece.cmu.edu) or 34 to the authors. 36 Table of Contents 38 DHCP Option Number for iSNS Revision 4 December 2002 40 Status of this Memo...................................................1 41 Comments..............................................................1 42 Abstract..............................................................3 43 Conventions used in this document.....................................3 44 1.Introduction.......................................................3 45 2.iSNS Option for DHCP...............................................4 46 2.1 iSNS Functions Field.............................................5 47 2.2 Discovery Domain Access Field....................................6 48 2.3 Administrative Flags Field.......................................7 49 2.4 iSNS Server Security Bitmap......................................9 50 3.Security Considerations...........................................10 51 4.Normative References..............................................10 52 5.Non-Normative References..........................................11 53 6.Author's Addresses................................................11 54 Full Copyright Statement.............................................12 55 DHCP Option Number for iSNS Revision 4 December 2002 57 Abstract 59 This document describes the DHCP option to allow iSNS clients using 60 DHCP to automatically discover the location of the iSNS server. iSNS 61 provides discovery and management capabilities for iSCSI and Fibre 62 Channel storage devices in an enterprise-scale IP storage network. 63 iSNS provides intelligent storage management services comparable to 64 those found in Fibre Channel networks, allowing a commodity IP 65 network to function in a similar capacity as a storage area network. 67 Conventions used in this document 69 iSNS refers to the framework consisting of the storage network model 70 and associated services. 72 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 73 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in 74 this document are to be interpreted as described in [RFC2119]. 76 All frame formats are in big endian network byte order. RESERVED 77 fields SHOULD be set to zero. 79 This document uses the following terms: 81 "iSNS Client" - iSNS clients are processes resident in iSCSI and 82 iFCP devices that initiate transactions with the iSNS server using 83 the iSNS Protocol. 85 "iSNS Server" - The iSNS server responds to iSNS protocol query and 86 registration messages, and initiates asynchronous notification 87 messages. The iSNS server stores information registered by iSNS 88 clients. 90 "iSCSI (Internet SCSI)" - iSCSI is an encapsulation of SCSI for a 91 new generation of storage devices interconnected with TCP/IP. 93 "iFCP (Internet Fibre Channel Protocol)" - iFCP is a gateway-to- 94 gateway protocol designed to interconnect existing Fibre Channel 95 devices using TCP/IP. iFCP maps the Fibre Channel transport and 96 fabric services to TCP/IP. 98 1. Introduction 100 The Dynamic Host Configuration Protocol provides a framework for 101 passing configuration information to hosts. Its usefulness extends 102 to hosts and devices using the iSCSI and iFCP protocols to connect 103 to block level storage assets over a TCP/IP network. 105 The iSNS Protocol provides a framework for automated discovery, 106 management, and configuration of iSCSI and iFCP devices on a TCP/IP 107 network. It provides functionality similar to that found on Fibre 108 Channel networks, except that iSNS works within the context of an IP 109 network. iSNS thereby provides the requisite storage intelligence 110 to IP networks that are standard on existing Fibre Channel networks. 112 DHCP Option Number for iSNS Revision 4 December 2002 114 Existing DHCP option numbers are not plausible due to the following 115 reasons: 117 a) iSNS functionality is distinctly different from other protocols 118 using existing DHCP option numbers. Specifically, iSNS provides 119 a significant superset of capabilities compared to typical name 120 resolution protocols such as DNS. It is designed to support 121 client devices that allow themselves to be configured and 122 managed from a central iSNS server 124 b) iSNS requires a DHCP option format that provides more than the 125 location of the iSNS server. The DHCP option number needs to 126 specify the subset of iSNS services that will be actively used 127 by the iSNS client. 129 The DHCP option number for iSNS is used by iSCSI and iFCP devices to 130 discover the location and role of the iSNS server. The DHCP option 131 number assigned for iSNS by IANA is <>. 133 2. iSNS Option for DHCP 135 This option specifies the location of the primary and backup iSNS 136 servers and the iSNS services available to an iSNS client. 138 0 1 2 3 139 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 140 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 141 | Code = TBD | Length | iSNS Functions | 142 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 143 | DD Access | Administrative FLAGS | 144 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 145 | iSNS Server Security Bitmap | 146 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 147 | a1 | a2 | a3 | a4 | 148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 149 | b1 | b2 | b3 | b4 | 150 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 151 | . . . . | 152 | Additional Secondary iSNS Servers | 153 | . . . . | 154 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 155 Figure 1 -- iSNS Server Option 157 The iSNS Option specifies a list of IP addresses used by iSNS 158 servers. The option contains the following parameters: 160 Length: the number of bytes that follow the Length field. The 161 minimum value for the Length field is 6 in order to account 162 for the iSNS Functions, Discovery Domain Access, and 163 Administrative Flags fields. 165 iSNS Functions: A bitmapped field defining the functions supported 166 by the iSNS servers. The format of this field is described 167 in section 2.1. 169 DHCP Option Number for iSNS Revision 4 December 2002 171 Discovery Domain Access: A bit field indicating the types of iSNS 172 clients that are allowed to modify Discovery Domains. The 173 field contents are described in section 2.2. 175 Administrative Flags field: Contains the administrative settings for 176 the iSNS servers discovered through the DHCP query. The 177 contents of this field are described in section 2.3. 179 iSNS Server Security Bitmap: Contains the iSNS server security 180 settings specified in section 2.4. 182 a1...a4: Depending on the setting of the Heartbeat bit in the 183 Administrative Flags field (see section 2.3), this field 184 contains either the IP address from which the iSNS heartbeat 185 originates (see [ISNS]) or the IP address of the primary 186 iSNS server. 188 b1...b4: Depending on the setting of Heartbeat bit in the 189 Administrative Flags field (see section 2.3), this field 190 contains either the IP address of the primary iSNS server or 191 a secondary iSNS server. 193 Additional Secondary iSNS Servers: Each set of four octets specifies 194 the IP address of a secondary iSNS server. 196 2.1 iSNS Functions Field 198 The iSNS Functions Field defines the iSNS server's operational role 199 (i.e., how the iSNS server is to be used). The iSNS server's role 200 can be as basic as providing simple discovery information, or as 201 significant as providing IKE/IPSec security policies and 202 certificates for the use of iSCSI and iFCP devices. The format of 203 the iSNS Role bit field is shown in Figure 2: 205 1 2 3 206 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 207 +--+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 208 |Vendor-Specific |RESERVED |S|A|E| 209 +--+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 210 Figure 2 -- iSNS Functions 212 Bit field Significance 213 --------- ------------ 214 31 Function Fields Enabled 215 30 DD-Based Authorization 216 29 Security policy distribution 217 28 - 24 Reserved 218 23 - 16 Vendor-specific 220 Enabled: This bit specifies the validity of the 221 remaining iSNS Function fields. If set to 222 one, then the contents of all other iSNS 223 Function fields are valid. If set to zero, 224 then the contents of all other iSNS 226 DHCP Option Number for iSNS Revision 4 December 2002 228 Function fields MUST be ignored. 230 DD-based Indicates whether or not devices in a 231 Authorization: common Discovery Domain (DD) are implicitly 232 authorized to access one another. Although 233 Discovery Domains control the scope of 234 device discovery, they do not necessarily 235 indicate whether or not a domain member is 236 authorized to access discovered devices. 237 If this bit is set to one, then devices in 238 a common Discovery Domain are automatically 239 allowed access to each other (if 240 successfully authenticated). If this bit 241 is set to zero, then access authorization 242 is not implied by domain membership and 243 must be explicitly performed by each 244 device. In either case, devices not in a 245 common discovery domain are not allowed to 246 access each other. 248 Security: Indicates whether the iSNS client is to 249 download and use the security policy 250 configuration stored in the iSNS server. 251 If set to one, then the policy is stored in 252 the iSNS server and must be used by the 253 iSNS client for its own security policy. 254 If set to zero, then the iSNS client must 255 obtain its security policy configuration by 256 other means. 258 Vendor- These bits are used to indicate the vendor- 259 Specific: specific capabilities supported by the 260 indicated iSNS server. 262 2.2 Discovery Domain Access Field 264 The format of the DD Access bit field is shown in 265 Figure 3: 267 0 1 2 3 4 5 6 ... 15 268 +---+---+---+---+---+---+---+---+---+ 269 | if| tf| is| ts| C | E | Reserved | 270 +---+---+---+---+---+---+---+---+---+ 271 Figure 3 -- Discovery Domain Access 273 DHCP Option Number for iSNS Revision 4 December 2002 275 Bit field Significance 276 --------- ------------ 277 0 iFCP Initiator Port 278 1 iFCP Target Port 279 2 iSCSI Initiator 280 3 iSCSI Target 281 4 Control Node 282 5 Enabled 283 6 ... 15 Reserved 285 Enabled: This bit specifies the validity of the 286 remaining DD Access bit fields. If this 287 bit is set to one, then the contents of 288 the remainder of the DD Access field are 289 valid. If this bit is set to zero, then 290 the contents of the remainder of this 291 field MUST be ignored. 293 Control Node: Specifies whether the iSNS server allows 294 Discovery Domains to be added, modified 295 or deleted by means of Control Nodes. If 296 set to one, then Control Nodes are 297 allowed to modify the Discovery Domain 298 configuration. If set to zero, then 299 Control Nodes are not allowed to modify 300 Discovery Domain configurations. 302 iSCSI Target, These bits determine whether the 303 iSCSI Initiator, respective registered iSNS client 304 iFCP Target Port, (determined by iSCSI Node Type or iFCP 305 iFCP Initiator Port Role) is allowed to add, delete, or 306 Port: modify Discovery Domains. If set to 307 one, then modification by the specified 308 client type is allowed. If set to zero, 309 then modification by the specified 310 client type is not allowed. 312 (A node may implement multiple node 313 types.) 315 2.3 Administrative Flags Field 317 The format of the Administrative Flags bit field is shown in 318 Figure 4: 320 DHCP Option Number for iSNS Revision 4 December 2002 322 1 2 3 323 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 324 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 325 | RESERVED |D|M|H|E| 326 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 327 Figure 4 -- Administrative Flags 329 Bit Field Significance 330 --------- ------------ 331 31 Enabled 332 30 Heartbeat 333 29 Management SCNs 334 28 Default Discovery Domain 335 27 - 16 RESERVED 337 Enabled: Specifies the validity of the remainder 338 of the Administrative Flags field. If 339 set to one, then the contents of the 340 remaining Administrative Flags are 341 valid. If set to zero, then the 342 remaining contents MUST be ignored, 343 indicating that iSNS administrative 344 settings are obtained through means 345 other than DHCP. 347 Heartbeat: Indicates whether the first IP address 348 is the multicast address to which the 349 iSNS heartbeat message is sent. If set 350 to one, then a1-a4 contains the 351 heartbeat multicast address and b1-b4 352 contains the IP address of the primary 353 iSNS server, followed by the IP 354 address(es) of any backup servers. If 355 set to zero, then a1-a4 contains the IP 356 address of the primary iSNS server, 357 followed by the IP address(es) of any 358 backup servers. 360 Management SCNs: Indicates whether control nodes are 361 authorized to register to receive 362 Management State Change Notifications 363 (SCN's). Management SCN's are a special 364 class of State Change Notification whose 365 scope is the entire iSNS database. If 366 set to one, then control nodes are 367 authorized to register to receive 368 Management SCN's. If set to zero, then 369 control nodes are not authorized to 370 receive Management SCN's (although they 371 may receive normal SCN's). 373 Default Discovery Indicates whether a newly registered 374 device that is not explicitly placed 376 DHCP Option Number for iSNS Revision 4 December 2002 378 Domain: into a Discovery Domain (DD) and 379 Discovery Domain Set (DDS) should be 380 automatically placed into a default DD 381 and DDS. If set to one, then a default 382 DD shall contain all devices in the iSNS 383 database that have not been explicitly 384 placed into a DD by an iSNS client. If 385 set to zero, then devices not explicitly 386 placed into a DD are not members of any 387 DD. 389 2.4 iSNS Server Security Bitmap 391 The format of the iSNS server security Bitmap field is shown in 392 Figure 5. If valid, this field communicates to the DHCP client the 393 security settings that are required to communicate with the 394 indicated iSNS server. 396 0 1 2 3 397 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 398 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 399 | Reserved |T|X|P|A|M|S|E| 400 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 401 Figure 5 -- iSNS Server Security Bitmap 403 Bit Field Significance 404 --------- ---------------- 405 31 Enabled 406 30 IKE/IPSec 407 29 Main Mode 408 28 Aggressive Mode 409 27 PFS 410 26 Transport Mode 411 25 Tunnel Mode 412 24 -- 0 Reserved 414 DHCP Option Number for iSNS Revision 4 December 2002 416 Enabled This bit specifies the validity of the 417 remainder of the iSNS server security 418 bitmap. If set to one, then the contents 419 of the remainder of the field are valid. 420 If set to zero, then the contents of the 421 rest of the field are undefined and MUST 422 be ignored. 424 IKE/IPSec 1 = IKE/IPSec enabled; 0 = IKE/IPSec 425 disabled. 427 Main Mode 1 = Main Mode enabled; 0 = Main Mode 428 disabled. 430 Aggressive Mode 1 = Aggressive mode enabled; 0 = 431 Aggressive mode disabled. 433 PFS 1 = PFS enabled; 0 = PFS disabled. 435 Transport Mode 1 = Transport mode preferred; 0 = No 436 preference. 438 Tunnel Mode 1 = Tunnel mode preferred; 0 = No 439 preference. 441 3. Security Considerations 443 DHCP currently provides no authentication or security mechanisms. 444 Potential exposures to attack are discussed in section 7 of the DHCP 445 protocol specification [DHCP]. 447 iSNS security considerations are discussed in [iSNS] and [SEC-IPS]. 448 With regard to security considerations specific to the use of this 449 DHCP option to discover the location of the iSNS server, exposure to 450 a "man-in-the-middle" attack by an hostile entity modifying or 451 replacing the original iSNS option message should be considered a 452 potential security exposure. To prevent an attacker from weakening 453 the required security and potentially tricking the iSNS client into 454 connecting into rogue iSNS servers, reliance on local security 455 policy configuration is an appropriate countermeasure. 457 4. Normative References 459 [DHCP] Droms, R., "Dynamic Host Configuration Protocol", RFC 460 2131, Bucknell University, March 1997. 462 [RFC2026] Bradner, S., "The Internet Standards Process -- 463 Revision 3", BCP 9, RFC 2026, October 1996 465 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 466 Requirement Levels", BCP 14, RFC 2119, March 1997 468 DHCP Option Number for iSNS Revision 4 December 2002 470 5. Non-Normative References 472 [iFCP] Monia, C., et al., "iFCP - A Protocol for Internet Fibre 473 Channel Storage Networking", Internet draft (work in 474 progress), draft-ietf-ips-ifcp-13.txt, May 2002 476 [iSCSI] Satran, J., et al., "iSCSI", Internet draft (work in 477 progress), draft-ietf-ips-iSCSI-15.txt, August 2002 479 [iSNS] Tseng, J. et al., "iSNS - Internet Storage Name 480 Service", Internet draft (work in progress), draft-ietf- 481 ips-isns-12.txt, August 2002 483 [SEC-IPS] Aboba, B., et al., "Securing IP Block Storage 484 Protocols", draft-ietf-ips-security-14.txt, June 2002 486 6. Author's Addresses 488 Kevin Gibbons, 489 Charles Monia, 490 Josh Tseng 492 Nishan Systems 493 3850 North First Street 494 San Jose, CA 95134-1702 495 Phone: (408) 519-3700 496 Email: cmonia@nishansystems.com 497 jtseng@nishansystems.com 498 kgibbons@nishansystems.com 500 Full Copyright Statement 502 "Copyright (C) The Internet Society December 2002. All Rights 503 Reserved. This document and translations of it may be copied and 504 furnished to others, and derivative works that comment on or 505 otherwise explain it or assist in its implementation may be 506 prepared, copied, published and distributed, in whole or in part, 507 without restriction of any kind, provided that the above copyright 508 notice and this paragraph are included on all such copies and 509 derivative works. However, this document itself may not be modified 510 in any way, such as by removing the copyright notice or references 511 to the Internet Society or other Internet organizations, except as 512 needed for the purpose of developing Internet standards in which 513 case the procedures for copyrights defined in the Internet Standards 514 process must be followed, or as required to translate it into 515 languages other than English. 517 The limited permissions granted above are perpetual and will not be 518 revoked by the Internet Society or its successors or assigns. 520 This document and the information contained herein is provided on an 521 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 522 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 523 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 524 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 525 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."