idnits 2.17.1 draft-ietf-ips-iscsi-name-disc-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity. ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 1572 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack an Authors' Addresses Section. ** There are 655 instances of too long lines in the document, the longest one being 39 characters in excess of 72. ** The abstract seems to contain references ([15], [2], [16], [3], [21], [22], [4], [17], [23], [18], [5], [19], [6], [24], [25], [7], [8], [26], [9], [10], [RFC1737], [11], [RFC2396], [12], [13], [14], [1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 145 has weird spacing: '... of the node....' == Line 275 has weird spacing: '...hat can be...' == Line 291 has weird spacing: '...nalized text,...' == Line 297 has weird spacing: '... be forma...' == Line 418 has weird spacing: '...ys1.xyz and...' == (5 more instances...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '7' on line 1291 looks like a reference -- Missing reference section? 'RFC1737' on line 243 looks like a reference -- Missing reference section? '26' on line 1345 looks like a reference -- Missing reference section? '25' on line 1342 looks like a reference -- Missing reference section? '24' on line 1339 looks like a reference -- Missing reference section? 'RFC 2396' on line 765 looks like a reference -- Missing reference section? '2' on line 1272 looks like a reference -- Missing reference section? '17' on line 1318 looks like a reference -- Missing reference section? '8' on line 1295 looks like a reference -- Missing reference section? '21' on line 1329 looks like a reference -- Missing reference section? '1' on line 1269 looks like a reference -- Missing reference section? '3' on line 1280 looks like a reference -- Missing reference section? '4' on line 1282 looks like a reference -- Missing reference section? '5' on line 1285 looks like a reference -- Missing reference section? '6' on line 1288 looks like a reference -- Missing reference section? '9' on line 1298 looks like a reference -- Missing reference section? '10' on line 1300 looks like a reference -- Missing reference section? '12' on line 1308 looks like a reference -- Missing reference section? '13' on line 1310 looks like a reference -- Missing reference section? '14' on line 1312 looks like a reference -- Missing reference section? '15' on line 1314 looks like a reference -- Missing reference section? '16' on line 1316 looks like a reference -- Missing reference section? '18' on line 1320 looks like a reference -- Missing reference section? '19' on line 1322 looks like a reference -- Missing reference section? '22' on line 1332 looks like a reference -- Missing reference section? '23' on line 1337 looks like a reference Summary: 11 errors (**), 0 flaws (~~), 8 warnings (==), 28 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPS 3 Internet Draft 4 draft-ietf-ips-iscsi-name-disc-05.txt 5 Draft Title: iSCSI Naming and Discovery 6 Mark Bakke 7 Cisco 9 Jim Hafner 10 John Hufferd 11 Kaladhar Voruganti 12 IBM 14 Marjorie Krueger 15 Hewlett-Packard 17 Joshua Tseng 18 Nishan Systems 20 iSCSI Naming and Discovery 22 Status of this Memo 24 This document is an Internet-Draft and is in full conformance with 25 all provisions of Section 10 of RFC2026 except that the right to 26 produce derivative works is not granted. Internet-Drafts are working 27 documents of the Internet Engineering. Task Force (IETF), its areas, 28 and its working groups. Note that other groups may also distribute 29 working documents as Internet-Drafts. Internet-Drafts are draft 30 documents valid for a maximum of six months and may be updated, 31 replaced, or obsoleted by other documents at any time. It is 32 inappropriate to use Internet- Drafts as reference material or to 33 cite them other than as "work in progress." The list of current 34 Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id- 35 abstracts.txt 37 The list of Internet-Draft Shadow Directories can be accessed at 38 http://www.ietf.org/shadow.html. 39 Comments 40 Comments should be sent to the ips mailing list (ips@ece.cmu.edu) or 41 to kaladhar@us.ibm.com 43 Abstract 45 This document describes iSCSI [7] naming and discovery details. This 46 document complements the iSCSI Protocol draft. Flexibility is the key 48 Internet Draft Naming and Discovery 2 50 guiding principle behind this document. That is, an effort has been 51 made to satisfy the needs of both small isolated environments, as well 52 as large environments requiring secure/scalable solutions. 54 Acknowledgements 55 Joe Czap (IBM), Howard Hall (Pirus), Jack Harwood (EMC), 56 Yaron Klein (SANRAD), Larry Lamers (SAN Valley Systems), 57 and Todd Sperry (Adaptec) have participated and made 58 contributions during the weekly Naming and Discovery 59 teleconferences. 61 Conventions used in this document 63 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 64 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in 65 this document are to be interpreted as described in RFC-2119. 67 Voruganti, K. Informational-Track Expires August 2002 69 Internet Draft Naming and Discovery 3 71 Table of Contents 73 1. iSCSI Naming Philosophy..........................................................3 74 2. iSCSI Names.................................................................................4 75 3. iSCSI ISID...................................................................................17 76 4. iSCSI Discovery.........................................................................20 77 5. Appendix A: iSCSI Naming Notes..........................................22 78 6. Appendix B: Proxy Description...............................................23 79 7. Appendix C: iSCSI Names and Security Identifiers..............26 80 8. References..................................................................................27 81 9. Author's Addresses.................................................................29 83 1. iSCSI Naming Philosophy 84 The notion of an iSCSI name is required at both the targets and at 85 the initiators. iSCSI name is required at the target because it 86 uniquely identifies a target as a storage resource for the initiators. 87 iSCSI initiator name is required at the initiator because it helps to 88 uniquely identify an initiator for the purpose of target resource 89 allocation (i.e., which initiator has access to which target 90 resource). iSCSI name is also used to provide a mechanism for world 91 wide unique identification of SCSI Initiator Ports (analogous to FC 92 WWPortnames). The SCSI port name is used by SCSI during SCSI 93 reservations, SCSI initiator specific task queue management and 94 SCSI mode page management. Furthermore, iSCSI initiator names can be 95 also potentially used by software layers such as security and 96 management software to uniquely identify initiators to targets. 98 It is necessary for the iSCSI names to be unique within the operation 99 domain of the end user. However, since user operation domains can 100 potentially merge with other user operation domains, the iSCSI naming 101 mechanism has been architected to ensure world wide uniqueness. In 102 order to ensure both world wide name uniqueness iSCSI provides for 103 the use of different types of naming authority mechanisms. 105 Furthermore, iSCSI names are associated with iSCSI nodes instead of 106 with network adapter cards to ensure the free movement of network 107 HBAs between hosts without carrying over the SCSI state information 108 (reservations, mode page settings etc). 110 Since there can be multiple separate iSCSI sessions (via different 111 iSCSI ports) between the same iSCSI initiator and target nodes, 112 iSCSI has introduced the notion of an initiator session id (ISID) 113 and a target session id (TSID) to help in uniquely identifying each 114 of the iSCSI sessions. The ISID and the TSID are not global identifiers 115 but together uniquely identify a session only within the context of a 116 Voruganti, K. Informational-Track Expires August 2002 118 Internet Draft Naming and Discovery 4 120 given named iSCSI initiator and iSCSI target. 122 In addition to the mandatory iSCSI concepts of iSCSI initiator name, 123 iSCSI target name, ISID and TSID, iSCSI also optionally allows for 124 the specification of initiator and target aliases. Initiator and 125 target aliases are optional constructs which help the users to 126 associate semantic meanings with a particular initiator or target. 128 2. iSCSI Names 130 The main addressable, discoverable entity in iSCSI is an iSCSI 131 Node. An iSCSI node can be either an initiator, a target, or 132 both. 134 The concepts of names and addresses have been carefully separated in 135 iSCSI: 137 - An iSCSI Name is a location-independent, permanent identifier 138 for an iSCSI node. An iSCSI node has one iSCSI name, which 139 stays constant for the life of the node. The terms "initiator 140 name" and "target name" also refer to an iSCSI name. 142 - An iSCSI Address specifies not only the iSCSI name of an iSCSI 143 node, but also a location of that node. The address consists of 144 a host name or IP address, a TCP port number (for the target), 145 and the iSCSI Name of the node. An iSCSI node can have any 146 number of addresses, which can change at any time, particularly 147 if they are assigned via DHCP. 149 A similar analogy exists for people. A person in the USA might be: 151 Robert Smith 152 SSN: 333-44-5555 153 Phone: +1 (763) 555.1212 154 Home Address: 555 Big Road, Minneapolis, MN 55444 156 Work Address: 222 Freeway Blvd, St. Paul, MN 55333 158 In this case, Robert's globally unique name is really his Social 159 Security Number his common name, "Robert Smith", is not guaranteed 160 to be unique. Robert has three locations at which he may be reached; 161 two Physical addresses, and a phone number. In this example, 162 Robert's SSN is like the iSCSI Name, his phone number and addresses 163 are analogous to the iSCSI Address, and "Robert Smith" would be a 164 Voruganti, K. Informational-Track Expires August 2002 166 Internet Draft Naming and Discovery 5 168 human-friendly label for this person. 170 2.1. iSCSI Name Requirements 172 Each iSCSI node, whether an initiator or target, must have an 173 iSCSI name. 175 iSCSI names may be assigned by a hardware manufacturer, software 176 manufacturer, or the end user. A naming authority scheme is 177 provided to ensure that each of these can confidently generate 178 unique names. 180 iSCSI names are designed to fulfill the following requirements: 182 1. iSCSI names are globally unique. No two initiators or targets 183 should have the same name. 185 2. iSCSI names are permanent. An iSCSI initiator or target has the 186 same name for its lifetime. 188 3. iSCSI names do not imply a location or address. An iSCSI 189 initiator or target can move, or have multiple addresses. A 190 change of address does not cause a change of name. 192 4. iSCSI names must not rely on a central name broker; the naming 193 authority must be distributed. 195 5. iSCSI names must support integration with existing unique naming 196 schemes. 198 6. iSCSI names must rely on existing naming authorities. iSCSI 199 must not create its own naming authority. 201 The encoding of an iSCSI name also has some requirements: 203 1. iSCSI names have one single encoding method when transmitted 204 over various protocols. 206 2. iSCSI names must be relatively simple to compare. The algorithm 207 for comparing two iSCSI names for equivalence must not rely on 208 any external server. 210 3. iSCSI names must be transcribable by humans. iSCSI names should 211 be kept as simple as possible, and should not use more than a 212 few special characters. They must provide for the use of 213 international character sets, and must not allow the use of 214 Voruganti, K. Informational-Track Expires August 2002 216 Internet Draft Naming and Discovery 6 218 different names that would be identical except for their case. 219 Whitespace characters must not be allowed. 221 4. iSCSI names must be transport-friendly. They must be 222 transported using both binary and ASCII-based protocols, as well 223 as on paper. 225 An iSCSI Name really names a logical software entity, and is not 226 tied to a port or other hardware that can be changed. For instance, 227 an initiator name should name the iSCSI initiator node, and not a 228 particular NIC or HBA card. When multiple NICs are used, they 229 should generally all present the same iSCSI initiator name to the 230 targets, since they are really to the same entity. In most 231 operating systems, the named entity is the operating system image. 232 Most hosts will have a single OS running; some of the really big 233 ones could have multiples. 235 A target name should similarly not be tied to hardware interfaces 236 which can be changed. A target name should identify the logical 237 target, and must be the same for the target regardless of the 238 physical portion being addressed. This gives iSCSI initiators an 239 easy way to determine that two targets it has discovered are really 240 two paths to the same target. 242 The iSCSI Name is designed to fulfill the functional requirements 243 for Uniform Resource Names (URN) [RFC1737]. Among these 244 requirements are that the name must have a global scope, independent 245 of address or location, and that it be persistent and globally 246 unique. It must be extensible, and scale with the use of naming 247 authorities. The encoding of the name should be transcribable by a 248 human, as well as be machine-readable. There are other requirements 249 as well; please read RFC1737 (only 5 pages) for definitions of these 250 requirements. 252 2.2. iSCSI Name Encoding 254 An iSCSI name is a UTF-8 encoding of a string of Unicode 255 characters, with the following properties, described in [26]: 257 - it is in Normalization Form C [25] 259 - it contains only the following types of characters: 261 Voruganti, K. Informational-Track Expires August 2002 263 Internet Draft Naming and Discovery 7 265 - ASCII dash character ('-'=U+002d) 266 - ASCII dot character ('.'=U+002e) 267 - Any character allowed by the output of the iSCSI 268 stringprep template [26] 270 - when encoded in UTF-8, it is no more than 255 bytes 272 The stringprep process is described in [24]; iSCSI's use of the 273 stringprep process is described in [26]. Stringprep is a 274 method designed by the Internationalized Domain Name (IDN) working 275 group to translate human-typed strings into a format that can be 276 compared as opaque strings, and does not include punctuation, 277 spacing, dicritical marks, or other characters that could get 278 in the way of transcribability. It also converts everything into its 279 equivalent of lower case. 281 Note that in most cases, the stringprep process does not need 282 to be implemented: 284 - If the names are just generated using lower-case (in any 285 character set) plus digits, no normalization is required. 287 - If the names are generated from some other all-ASCII 288 string, tolower() normalizes and isalnum() verifies. 290 - If the names are generated from more general, 291 internationalized text, either the equivalent of tolower() 292 and isalnum() appropriate 293 to the character set may be used, or the full stringprep 294 procedure can be used. 296 When included in Text or Login messages, an iSCSI Name MUST 297 be formatted in UTF-8 form. 299 Since iSCSI names encoded in UTF-8 are "normalized" (there is 300 one and only one representation for each possible name), they 301 may be safely compared byte-for-byte. 303 Voruganti, K. Informational-Track Expires August 2002 305 Internet Draft Naming and Discovery 8 307 The iSCSI Name may be displayed by user interfaces, but its 308 contents are not parsed or interpreted by initiators and targets 309 themselves. 311 2.3. iSCSI Name Structure 313 An iSCSI name consists of Two parts: a type designator, followed by 314 a unique name string 316 The iSCSI Name does not define any new naming authorities. Instead, 317 it supports two existing authorities: an iSCSI-Qualified Name, using 318 domain names as an authority, similar to the Java class naming 319 hierarchy, and the EUI format used in Fibre Channel world-wide 320 names. 322 Since there are different types of naming authorities, there are 323 different types of iSCSI Names to make use of them. Each name is 324 prefixed with a short type designator string that indicates the type 325 of naming authority being used. 327 Here are the type designator strings that may currently be used: 329 iqn. - iSCSI Qualified Name 330 eui. - Remainder of the string is an EUI-64 address, 331 in ASCII hexadecimal. 333 As these two naming authorities will suffice in nearly every case 334 for both software and hardware-based entities, the creation of 335 additional type designators is discouraged. One of these two type 336 strings MUST be used when constructing an iSCSI name; any type 337 string not listed here is not allowed, as they cannot be guaranteed 338 to be unique. 340 2.3.1. Type "iqn." (iSCSI Qualified Name) 342 This iSCSI name type can be used by any organization which owns a 343 Domain Name. This naming format is handy when an end user or 344 service provider wishes to assign the iSCSI Name for a target or 345 initiator. Customers which own domain names may not own an EUI, 346 Voruganti, K. Informational-Track Expires August 2002 348 Internet Draft Naming and Discovery 9 350 OUI, SCSI Vendor ID, or any of the other assigned identifiers that 351 could be used as a naming authority. 353 To generate names of this type, the person or organization 354 generating the name must own a DNS domain name. This name does not 355 have to be active, and does not have to resolve to an address; it 356 just needs to be reserved to prevent others from generating iSCSI 357 names using the same domain name. For example, "ACME Storage 358 Arrays, Inc.", might own the domain "acme.com". 360 Since a domain name can expire, be acquired by another entity, and 361 used to generate iSCSI names by both owners, the domain name must 362 be additionally qualified by a date during which the naming authority 363 owned the domain name. A date code is provided as part of the IQN 364 format for this reason. 366 The iSCSI qualified name string consists of: 368 - The string "iqn.", used to distinguish these names from other 369 types, such as "eui". 371 - A date code, in yyyy-mm format. This date code uses the Gregorian 372 calendar. All four digits in the year must be present. Both 373 digits of the month must be present, with January == "01" and 374 December == "12". The dash must be present. The date 375 reflected in this code MUST be a date during which the naming 376 authority owned the domain name used in this format, and SHOULD be 377 the date on which the domain name was acquired by the naming 378 authority. 380 - Another ".". 382 - A reversed domain name, owned by the person or organization 383 creating the iSCSI name. For example, our storage vendor 384 example would reverse its name to "com.acme". 386 - Another ".". 388 - Any string, within the character set and length boundaries, that 389 the owner of "acme.com" deems appropriate. This may contain 390 product types, serial numbers, host identifiers, software keys, 391 or anything else that makes sense to uniquely identify the 392 initiator or target. 394 Everything after the backwards domain name, followed by another dot 395 Voruganti, K. Informational-Track Expires August 2002 397 Internet Draft Naming and Discovery 10 399 ".", can be assigned as needed by the owner of the domain name. It is 400 the responsibility of the Organizational (Company) naming authority to 401 ensure that the iSCSI names it assigns are world wide unique. 403 iSCSI has given the Organizational naming authority additional 404 flexibility by permitting it to hand out local naming authority to 405 subordinate organizations. In this way it will be possible for the 406 Organizational naming authority to assign for example, the string 407 "storage", to one subgroup naming authority and "storage.tape" to 408 another. In this case the subgroups may add a ":" following their 409 assigned subgroup string to ensure ongoing uniqueness. For example: 410 "storage:" and "storage.tape:". Also, additional sub-qualifiers can be 411 assigned and separated by a "." as explained above. 413 Using this approach, the subgroup with the sub-naming authority string 414 of "storage" might, overtime, also create some Tape products. In this 415 case, both subgroups might use the same qualifying names. It would be 416 expected in this case that a naming conflict might occur, however by 417 using the ":" appropriately the conflicts can be avoided. In this 418 example com.acme.storage:tape.sys1.xyz and 419 com.acme.storage.tape:sys1.xyz would not be in conflict even though the 420 same sub-names are used. 422 The following are examples of iSCSI qualified names from an 423 equipment vendor: 425 Organization Subgroup Naming Authority 426 Naming and/or string Defined by 427 Type Date Auth Org. or Local Naming Authority 428 +-+ +-----+ +------+ +--------------------------------+ 429 | | | | | | | | 431 iqn.2001-04.com.acme.diskarrays-sn-a8675309 432 iqn.2001-04.com.acme.storage:tape.sys1.xyz 433 iqn.2001-04.com.acme.storage.tape:sys1.xyz 435 Where: 437 "iqn" specifies the use of the iSCSI qualified name as the 438 authority. 440 "2001-04" is the year and month on which the naming authority 441 acquired the domain name used in this iSCSI name. 443 Voruganti, K. Informational-Track Expires August 2002 445 Internet Draft Naming and Discovery 11 447 "com.acme" defines the Organizational naming authority. The 448 owner of the DNS name "acme.com" has the sole right of use of 449 this name within an iSCSI name, as well as the responsibility to 450 keep the remainder of the iSCSI name unique. In this case, 451 acme.com happens to manufacture disk arrays. 453 "diskarrays" was picked arbitrarily by acme.com to identify 454 the disk arrays they manufacture. Another product 455 that ACME makes might use a different name, and have it's 456 own namespace independent of the disk array group. 458 "sn" was picked by the disk array group of ACME to show that 459 what follows is a serial number. They could have just assumed 460 that all iSCSI Names are based on serial numbers, but they 461 thought that perhaps later products might be better identified 462 by something else. Adding "sn" was a future-proof measure. 464 "a8675309" is the serial number of the disk array, uniquely 465 identifying it from all other arrays. 467 "storage:" is the string that represents another sub-naming 468 authority. 470 "storage.tape:" is still another sub-naming authority. 472 "sys1.xyz" is a naming sub-qualifier. 474 The following is an example of a name that might be constructed by 475 an research organization: 477 Organization String 478 Naming Defined by Org. 479 Type Date Authority Naming Authority 480 +-+ +-----+ +----------------------+ +-----------+ 481 | | | | | | | | 482 iqn.2000-02.edu.pika-u.cs.users.oaks.proto.target4 484 In the above example, Professor Oaks of Pika University is building 485 research prototypes of iSCSI targets. Pika-U's computer science 486 department allows each user to use his or her user name as a naming 487 authority for this type of work. Professor Oaks chose to use 488 "proto.target4" for a particular target. 490 The following is an example of an iSCSI name string from a storage 491 service provider: 492 Voruganti, K. Informational-Track Expires August 2002 494 Internet Draft Naming and Discovery 12 496 Organization String 497 Naming Defined by Org. 498 Type Date Authority Naming Authority 499 +-+ +-----+ +--------+ +----------------------+ 500 | | | | | | | | 501 iqn.1995-11.com.my-ssp.customers.4567.disks.107 503 In this case, a storage service provider (my-ssp.com) has decided to 504 re-name the targets from the manufacturer, to provide the 505 flexibility to move the customer's data to a different storage 506 subsystem should the need arise. 508 My-ssp has configured the iSCSI Name on this particular target for 509 one of its customers, and has determined that it made the most sense 510 to track these targets by their Customer ID number and a disk 511 number. This target was created for use by customer #4567, and is 512 the 107th target configured for this customer. 514 Note that when reversing these domain names, the first 515 component(after the "iqn.") will always be a top-level domain name, 516 which includes "com", "edu", "gov", "org", "net", "mil", or one of 517 the two-letter country codes. The use of anything else as the first 518 component of these names is not allowed. In particular, companies 519 generating these names must not eliminate their "com." from the 520 string. 522 Again, these iSCSI names are NOT addresses. Even though they make 523 use of DNS domain names, they are used only to specify the naming 524 authority. An iSCSI name contains no implications of the iSCSI 525 target or initiator's location. The use of the domain name is only 526 a method of re-using an already ubiquitous name space. 528 Note that the SCSI Vendor ID or IEEE OUI could have been specified 529 as a naming authority. However, some large customers and service 530 providers may wish to use their own identification scheme, rather 531 than that provided by the manufacturer. These customers would not 532 likely have a registered Vendor ID, but the domain name we used is 533 ubiquitous, and was deemed more appropriate. 535 2.3.2. Type "eui." (IEEE EUI format) 537 The IEEE iSCSI name might be used when a manufacturer is already 538 basing unique identifiers on World-Wide Names as defined in the SCSI 539 SPC-2 specification. 540 Voruganti, K. Informational-Track Expires August 2002 542 Internet Draft Naming and Discovery 13 544 It may also be used by a gateway representing a Fibre Channel or 545 SCSI device that is already adequately identified using a world-wide 546 name. 548 The format is "eui." followed by 16 hex digits. 550 Example iSCSI name : 552 Type EUI-64 WWN 553 +-+ +--------------+ 554 | | | | 555 eui.02004567A425678D 557 2.4 iSCSI Alias 559 The iSCSI alias is a UTF-8 text string that may be used as an 560 additional descriptive name for an initiator and target. This 561 may not be used to identify a target or initiator during login, 562 and does not have to follow the uniqueness or other requirements 563 of the iSCSI name. The alias strings are communicated between the 565 initiator and target at login, and can be displayed by a user 566 interface on either end, helping the user tell at a glance whether 567 the initiators and/or targets at the other end appear to be 568 correct. The alias must NOT be used to identify, address, or 569 authenticate initiators and targets. 571 The alias is a variable length string, between 0 and 255 characters, 572 and is terminated with at least one NULL (0x00) character. No 573 other structure is imposed upon this string. 575 2.4.1 Purpose of an Alias 577 Initiators and targets are uniquely identified by an iSCSI Name. 578 These identifiers may be assigned by 579 a hardware or software manufacturer, a service provider, or even 580 the customer. Although these identifiers are nominally human- 581 readable, they are likely be be assigned from a point of view 582 different from that of the other side of the connection. For 583 instance, a target name for a disk array may be built from the 584 array's serial number, and some sort of internal target ID. 585 Although this would still be human-readable and transcribable, 586 it offers little assurance to someone at a user interface who 587 Voruganti, K. Informational-Track Expires August 2002 589 Internet Draft Naming and Discovery 14 591 would like to see "at-a-glance" whether this target is really 592 the correct one. 594 The use of an alias helps solve that problem. An alias is 595 simply a descriptive name that can be assigned to an initiator 596 or target, that is independent of the name, and does not have 597 to be unique. Since it is not unique, the alias must be used 598 in a purely informational way. It may not be used to specify 599 a target at login, or used during authentication. 601 Both targets and initiators may have aliases. 603 2.4.2 Target Alias 605 To show the utility of an alias, here is an example using an 606 alias for an iSCSI target. 608 Imagine sitting at a desktop station that is using some iSCSI 609 devices over a network. The user requires another iSCSI disk, 610 and calls the storage services person (internal or external), 611 giving any authentication information that the storage device 612 will require for the host. The services person allocates a 613 new target for the host, and sends the Target Name for the new 614 target, and probably an address, back to the user. The user then 615 adds this Target Name to the configuration file on the host, and 616 discovers the new device. 618 Without an alias, a user managing an iSCSI host would click 619 on some sort of management "show targets" button to show the 620 targets to which the host is currently connected. 622 +--Connected-To-These-Targets---------------------- 623 | 624 | Target Name 625 | 626 | iqn.1995-04.com.acme.sn.5551212.target.450 627 | iqn.1995-04.com.acme.sn.5551212.target.489 628 | iqn.1995-04.com.acme.sn.8675309 629 | iqn.2001-04.com.acme.storage:tape.sys1.xyz 630 | iqn.2001-04.com.acme.storage.tape:sys1.xyz 631 | 632 +-------------------------------------------------- 634 In the above example, the user sees a collection of iSCSI Names, but 635 with no real description of what they are for. They will, of 636 course, map to a system-dependent device file or drive letter, 637 Voruganti, K. Informational-Track Expires August 2002 639 Internet Draft Naming and Discovery 15 641 but it's not easy looking at numbers quickly to see if everything 642 is there. 644 If a more intelligent target configures an alias for each target, 645 perhaps at the time the target was allocated to the host, a more 646 descriptive name can be given. This alias may be sent back to the 647 initiator as part of the login response, or found in the iSCSI MIB. It 648 then might be used in a display such as this. The new display might 649 look like: 651 +--Connected-To-These-Targets---------------------- 652 | 653 | Alias Target Name 654 | 655 | Oracle 1 iqn.1995-04.com.acme.sn.5551212.target.450 656 | Local Disk iqn.1995-04.com.acme.sn.5551212.target.489 657 | Exchange 2 iqn.1995-04.com.acme.sn.8675309 658 | 659 +-------------------------------------------------- 661 This would give the user a better idea of what's really there. 663 In general, flexible, configured aliases will probably be 664 supported by larger storage subsystems and configurable gateways. 665 Simpler devices will likely not keep configuration data 666 around for things such as an alias. The TargetAlias string 667 could be either left unsupported (not given to the initiator 668 during login) or could be returned as whatever the "next best 669 thing" that the target has that might better describe it. 670 Since it does not have to be unique, it could even return 671 SCSI inquiry string data. 673 Note that if a simple initiator does not wish to keep or display 674 alias information, it can be simply ignored if seen in the login 675 response. 677 2.4.3 Initiator Alias 679 An initiator alias can be used in the same manner as a target 680 alias. An initiator may send the alias in a login request, 681 when it sends its iSCSI Initiator Name. The alias is not used for 682 authentication, but may be kept with the session information for 683 display through a management GUI or command-line interface (for a 684 more complex subsystem or gateway), or through the iSCSI MIB. 686 Note that a simple target can just ignore the Initiator Alias 687 Voruganti, K. Informational-Track Expires August 2002 689 Internet Draft Naming and Discovery 16 691 if it has no management interface on which to display it. 693 Usually just the hostname would be sufficient for an initiator 694 alias, but a custom alias could be configured for the sake of the 695 service provider if needed. Even better would be a description of 696 what the machine was used for, such as "Exchange Server 1", or 697 "User Web Server". 699 Here's an example of a management interface showing a list of sessions 700 on an iSCSI target network entity. 701 For this display, the targets are using an internal target number, 702 which is a fictional field that has purely internal significance. 704 +--Connected-To-These-Initiators------------------- 705 | 706 | Target Initiator Name 707 | 708 | 450 iqn.1995-04.com.sw.cd.12345678-OEM-456 709 | 451 iqn.1995-04.com.os.hostid.A598B45C 710 | 309 iqn.1995-04.com.sw.cd.87654321-OEM-259 711 | 712 +-------------------------------------------------- 714 And with the initiator alias displayed: 716 +--Connected-To-These-Initiators------------------- 717 | 718 | Target Alias Initiator Name 719 | 720 | 450 Web Server 4 iqn.1995-04.com.sw.cd.12345678-OEM-456 721 | 451 scsigate.yours.com iqn.1995-04.com.os.hostid.A598B45C 722 | 309 Exchange Server iqn.1995-04.com.sw.cd.87654321-OEM-259 723 | 724 +-------------------------------------------------- 726 This gives the storage administrator a better idea of who is 727 connected to their targets. Of course, one could always do 728 a reverse DNS lookup of the incoming IP address to determine 729 a host name, but simpler devices really don't do well with that 730 particular feature due to blocking problems, and it won't 731 always work if there is a firewall or iSCSI gateway involved. 733 Again, these are purely informational and optional and require a 734 management application. 736 Voruganti, K. Informational-Track Expires August 2002 738 Internet Draft Naming and Discovery 17 740 Aliases are extremely easy to implement. Targets just send 741 a TargetAlias whenever they send a TargetName. Initiators just 742 send an InitiatorAlias whenever they send an InitiatorName. 743 If an alias is received that does not fit, or seems invalid 744 in any way, it is ignored. 746 2.5. Initiator and Target Requirements for iSCSI Name support: 748 Each initiator and target implementation must support the use of 749 iSCSI names. 751 The initiator MUST send an InitiatorName and a TargetName as text 752 fields within the initial login request on all connections within the 753 session. 755 Initiators and targets shall support the receipt of iSCSI names of 756 up to the maximum length. If configuration of the initiator or 757 target name is allowed, the implementation shall support the maximum 758 length. 760 In their user interfaces, both shall support, at a minimum, the 761 display of the ASCII characters within the iSCSI Name's UTF-8 762 string. 764 If the other characters are unsupported, they may be displayed with 765 escape codes as specified in [RFC 2396]. 767 3. ISID 768 The ISID is an initiator-defined component of the session identifier 769 (SSID) and is structured as follows. See iSCSI [7] and Section 3.4 770 Conservative Reuse of ISIDs for further information regarding the 771 ISID. 773 Byte/ 0 | 1 | 2 | 3 | 774 / | | | | 775 |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0| 776 +---------------+---------------+---------------+---------------+ 777 0| T | A | B | C | 778 +---------------+---------------+---------------+---------------+ 779 4| D | 780 +---------------+---------------+ 782 The T field identifies the format and usage of A, B, C & D 783 as indicated below: 784 Voruganti, K. Informational-Track Expires August 2002 786 Internet Draft Naming and Discovery 18 788 T 790 00b OUI-format 791 A&B are 22 bits. OUI is the Naming Authority 792 (the I/G & U/L bits are omitted) 793 C&D are 24 bit Qualifier 794 01b EN - format (IANA Enterprise Number) 795 A - reserved 796 B&C EN (IANA Enterprise Number) is the Naming Authority 797 D - Qualifier 798 10b "Random" 799 A - reserved 800 B&C Random is the Naming Authority 801 D - Qualifier 802 11b A,B,C&D Reserved 804 For T field values 00b and 01b, a combination of A and B (for 00b) 805 or B and C (for 01b) identifies the vendor or organization whose 806 component (software or hardware) generates this ISID. This is the 807 Naming Authority field. See 3.2 for more information. A vendor or 808 organization with one or more OUIs, or one or more Enterprise Numbers, 809 must use at least one of these numbers and select the appropriate 810 value for the T field when its components generate 811 ISIDs. An OUI or EN value must be set in the corresponding fields 812 in network byte order (i.e., big-endian). 814 If the T field is 10b, B and C are set to a random 24 bit unsigned 815 integer value in network byte order (i.e., big-endian). See iSCSI[7] 816 and section 3.4) for how this affects the principle of "conservative 817 reuse". 819 The "Random" type (10b) is for the case where the component that 820 generates an ISID (SW or HW) is provided by an entity that has no OUI 821 or EN. This includes, for example, 822 - a user-written program that builds sessions (and has access to the 823 system level iSCSI Name) 824 - a university or other organization providing the component 825 - a testing tool 827 The T field of 11b is reserved. 829 3.2 ISID Naming Authority 831 If the Type field is 00b, the 22-bits of the Naming Authority field 832 must be the lower 22-bits of one of the IEEE OUI (Organization Unique 833 Identifier) a.k.a. "Company ID" assigned to the vendor whose component 834 is generating this ISID. The OUI is set in the Naming Authority field 835 Voruganti, K. Informational-Track Expires August 2002 837 Internet Draft Naming and Discovery 19 839 in network byte order (big-endian). 841 If the Type field is 01b, the Naming Authority field must be set to 842 one of the IANA Enterprise Numbers assigned to the vendor whose 843 component is generating this ISID. The Enterprise Number is set in 844 the Naming Authority field as a 24bit unsigned integer value in 845 network byte order (big-endian). 847 If the type field is 10b, the Naming Authority field is set randomly 848 as specified above. It is important to note that the "Random" type 849 does not guarantee uniqueness. The "Random" type has been introduced 850 because it allows ISIDs to be used in experimental or isolated iSCSI 851 setups. (See 3.4 on how this affects the principle of "conservative 852 reuse"). 854 3.3 ISID Qualifier 856 The Qualifier field is a 16 or 24 bit unsigned integer value that 857 provides a range of possible values for the ISID within the selected 858 namespace. It may be set to any value, within the constraints 859 specified in the iSCSI protocol (see iSCSI [7] and 3.4 for 860 Consequences of the Model and Conservative Reuse of ISIDs). 862 3.4 Conservative reuse of ISIDs 864 The principle of "conservative reuse" of ISIDs (see iSCSI [7]) 865 specifies that ISIDs should be reused as much as possible. This 866 principle is there to both minimize the disruption of legacy 867 applications and to better facilitate the SCSI features that rely 868 on persistent names for SCSI ports. 870 To facilitate conservative reuse, the Qualifier field of a set of 871 ISIDs should be generated using either a repeatable algorithm (e.g, 872 deterministic or pseudo-random but based on a fixed seed) or any 873 algorithm to initialize a value or set of values but stored in a 874 persistent location (e.g., registry or /etc file). 876 For the "Random" type, conservative reuse may not be an issue 877 (e.g., in a user application that doesn't care about reservations, 878 etc.). When it is an issue, the Naming Authority field should also 879 be generated by a mechanism similar to that for the Qualifier field 880 as specified above (e.g., defined in the SW at compilation time.) 882 3.5 Notes on ISIDs 884 (a) As noted, the structure of the ISID namespace provides each 885 vendor with its own piece of the ISID namespace. In effect, this 886 provides for a vendor-partitioning of that namespace within each 887 Voruganti, K. Informational-Track Expires August 2002 889 Internet Draft Naming and Discovery 20 891 initiator. An initiator will then fail to comply with the ISID 892 RULE only if a vendor fails to implement the ISID generation use 893 and reuse requirements correctly. 895 (b) This structure also allows for a consortium of companies to 896 develop common APIs or a common infrastructure for generation, use 897 and reuse of ISIDs. The consortium could, for example, select an 898 OUI from amongst the member companies to be used in the Naming 899 Authority field. Or, the consortium could request an IANA 900 Enterprise Number for the consortium itself and use this in the 901 naming authority field. Eventually, the OS implementers could 902 provide such APIs, in which case the OS vendor could use its own 903 OUI or EN in the naming authority. In short, the design allows for 904 a migration path from vendor-fragmented implementations to 905 coordinated common implementations for ISID generation. 907 (c) ISIDs have no global uniqueness requirements or properties. 908 That is handled by the iSCSI Name of the initiator. This means 909 that a vendor can use the same algorithm to generate ISIDs (under 910 its naming authority) in every initiator. 912 (d) If the ISID is derived from something assigned to a hardware 913 adapter or interface by a vendor as a preset default value, it must 914 have a way to be changed (configured) to a new default value. The 915 ISID value must be configurable so that a chosen ISID may be applied 916 to a Portal Group containing more than one interface. In addition, 917 any preset default value should be automatically adjusted to a common 918 ISID when placed into a Network Entity as part of a Portal Group. 919 Any configured ISID must also be persistent (e.g., across power 920 cycles, reboots, and hot swaps). Refer to iSCSI [7] iSCSI Name and 921 ISID/TSID. 923 4. iSCSI Discovery 925 The goal of iSCSI discovery is to allow an initiator to find the 926 targets to which it has access, and at least one address at which 927 each target may be accessed. This should generally be done using as 928 little configuration as possible. This section defines the 929 discovery mechanism only; no attempt is made to specify central 930 management of iSCSI devices within this document. Moreover, iSCSI 931 discovery mechanism only deals with target discovery and one still 932 needs to use the SCSI protocol for LUN discovery. 934 In order for an iSCSI initiator to establish an iSCSI session with 935 Voruganti, K. Informational-Track Expires August 2002 937 Internet Draft Naming and Discovery 21 939 an iSCSI target, the initiator needs the IP address, TCP port 940 number and iSCSI target name information. The goal of iSCSI 941 discovery mechanism is to provide low overhead support for small 942 iSCSI setups, and scalable discovery solutions for large enterprise 943 setups. Thus, there are several methods that may be used to find 944 targets ranging from configuring a list of targets and addresses on 945 each initiator and doing no discovery at all, to configuring nothing 946 on each initiator, and allowing the initiator to discover targets 947 dynamically. The various discovery mechanisms differ in their 948 assumptions about what information is already available to the 949 initiators and what information needs to be still discovered. 951 iSCSI supports the following discovery mechanisms: 953 a. Static Configuration: This mechanism assumes that the IP address, 954 TCP port and the iSCSI target name information are already available 955 to the initiator. The initiators need to perform no discovery 956 in this approach. The initiator uses the IP address and the TCP port 957 information to establish a TCP connection, and it uses the 958 iSCSI target name information to establish an iSCSI session. This 959 discovery option is convenient for small iSCSI setups. 961 b. SendTargets: This mechanism assumes that the IP address and TCP 962 port information are already available to the initiator. The 963 initiator then uses this information to establish a discovery session 964 to the Network Entity. The initiator then subsequently issues the 965 SendTargets text command to query information about the iSCSI 966 targets available at the particular Network Entity (IP address). 967 SendTargets command details can be found in the iSCSI draft [7]. 968 This discovery option is convenient for iSCSI gateways and routers. 970 c. Zero-Configuration: This mechanism assumes that the initiator 971 does not have any information about the target. In this option, the 972 initiator can either multicast discovery messages directly to the 973 targets or it can send discovery messages to storage name servers. 974 Currently, there are many general purpose discovery frameworks 975 available such as Salutation[2], Jini[2],UPnP[2], SLP[17] and iSNS[8]. 976 However, with respect to iSCSI, SLP can clearly perform the needed 977 discovery functions [21], while iSNS [8] can be used to provide related 978 management functions including notification, access management, 979 configuration, and discovery management. iSCSI equipment that 980 need discovery functions beyond SendTargets should at least implement 981 SLP, and then consider iSNS when extended discovery management 982 capabilities are required such as in larger storage networks. 983 It should be noted that since iSNS will support SLP, iSNS can 984 be used to help manage the discovery information returned by SLP. 985 Voruganti, K. Informational-Track Expires August 2002 987 Internet Draft Naming and Discovery 22 989 Appendix A: iSCSI Name Notes 991 Some iSCSI Name Examples for Targets 993 - Assign to a target based on controller serial number 995 iqn.2001-04.com.acme.diskarray.sn.8675309 997 - Assign to a target based on serial number 999 iqn.2001-04.com.acme.diskarray.sn.8675309.oracle_database_1 1001 Where oracle_database_1 might be a target label assigned by a user. 1003 This would be useful for a controller that can present different 1004 logical targets to different hosts. 1006 Obviously, any naming authority may come up with its own scheme and 1007 hierarchy for these names, and be just as valid. 1009 A target iSCSI Name should never be assigned based on interface 1010 hardware, or other hardware that can be swapped and moved to other 1011 devices. 1013 Some iSCSI Name Examples for Initiators 1015 - Assign to the OS image by fully qualified host name 1017 iqn.2001-04.com.osvendor.dns.com.customer1.host-four 1019 Note the use of two FQDNs - that of the naming 1020 authority and also that of the host that is being 1021 named. This can cause problems, due to limitations 1022 imposed on the size of the iSCSI Name. 1024 - Assign to the OS image by OS install serial number 1026 iqn.2001-04.com.osvendor.newos5.12345-OEM-0067890-23456 1028 Note that this breaks if an install CD is used more than once. 1029 Voruganti, K. Informational-Track Expires August 2002 1031 Internet Draft Naming and Discovery 23 1033 Depending on the O/S vendor's philosophy, this might be a feature. 1035 - Assign to the Raid Array by a service provider 1037 iqn.2001-04.com.mydisk.users.mbakke05657 1039 Appendix B: iSCSI Proxies and Firewalls Taxonomy 1041 iSCSI has been designed to allow SCSI initiators and targets to 1042 communicate over an arbitrary network. This, making some assumptions 1043 about authentication and security, means that in theory, the whole 1044 internet could be used as one giant storage network. 1046 However, there are many access and scaling problems that would come 1047 up when this is attempted. 1049 1. Most iSCSI targets may only meant to be accessed by one or a few 1050 initiators. Discovering everything would be unnecessary. 1052 2. The initiator and target may be owned by separate entities, each 1053 with their own directory services, authentication, and other schemes. 1054 An iSCSI-aware proxy may be required to map between these things. 1056 3. Many environments use non-routable IP addresses, such as the "10." 1057 network. 1059 For these and other reasons, various types of firewalls and proxies 1060 will be deployed for iSCSI, similar in nature to those already 1061 handling protocols such as HTTP and FTP. 1063 B.1. Port Redirector 1065 A port redirector is a stateless device that is not aware of iSCSI. 1066 It is used to do Network Address Translation (NAT), which can map IP 1067 addresses between routable and non-routable domains, as well as map 1068 TCP ports. While devices providing these capabilities can often 1069 filter based on IP addresses and TCP ports, they generally do not 1070 provide meaningful security, and are used instead to resolve internal 1071 network routing issues. 1073 Since it is entirely possible that these devices are used as routers 1074 Voruganti, K. Informational-Track Expires August 2002 1076 Internet Draft Naming and Discovery 24 1078 and/or aggregators between a firewall and an iSCSI initiator or 1079 target, iSCSI connections must be operable through them. 1081 Effects on iSCSI: 1083 - iSCSI-level data integrity checks must not include information 1084 from the TCP or IP headers, as these may be changed in between 1085 the initiator and target. 1087 - iSCSI messages that specify a particular initiator or target, 1088 such as login requests and third party requests, should specify 1089 the initiator or target in a location-independent manner. This 1090 is accomplished using the iSCSI Name. 1092 B.2. SOCKS server 1094 A SOCKS server can be used to map TCP connections from one network 1095 domain to another. It is aware of the state of each TCP connection. 1097 The SOCKS server provides authenticated firewall traversal for 1098 applications that are not firewall-aware. Conceptually, SOCKS is a 1099 "shim-layer" that exists between the application (i.e., iSCSI) and 1100 TCP. 1102 To use SOCKS, the iSCSI initiator must be modified to use the 1103 encapsulation routines in the SOCKS library. The initiator the opens 1104 up a TCP connection to the SOCKS server, typically on the canonical 1105 SOCKS port 1080. A sub-negotiation then occurs, during which the 1106 initiator is either authenticated or denied the connection request. 1107 If authenticated, the SOCKS server then opens a TCP connection to the 1108 iSCSI target using addressing information sent to it by the initiator 1109 in the SOCKS shim. The SOCKS server then forwards iSCSI commands, 1110 data, and responses between the iSCSI initiator and target. 1112 Use of the SOCKS server requires special modifications to the iSCSI 1113 initiator. No modifications are required to the iSCSI target. 1115 As a SOCKS server can map most of the addresses and information 1116 contained within the IP and TCP headers, including sequence numbers, 1117 its effects on iSCSI are identical to those in the port redirector. 1119 B.3. SCSI gateway 1121 This gateway presents logical targets (iSCSI Names) to the 1122 initiators, and maps them to real iSCSI targets as it chooses. The 1123 initiator sees this gateway as a real iSCSI target, and is unaware of 1124 Voruganti, K. Informational-Track Expires August 2002 1126 Internet Draft Naming and Discovery 25 1128 any proxy or gateway behavior. The gateway may manufacture its own 1129 iSCSI Names, or use those provided by the real devices. This type of 1130 gateway is used to represent parallel SCSI, Fibre Channel, SSA, or 1131 other devices as iSCSI devices. 1133 Effects on iSCSI: 1135 - Since the initiator is unaware of any addresses beyond the gateway, 1136 the gateway's own address is for all practical purposes the real 1137 address of a target. Only the iSCSI Name needs to be passed. This 1138 is already done in iSCSI, so there are no further requirements to 1139 support SCSI gateways. 1141 B.4. iSCSI Proxy 1143 An iSCSI proxy is a SCSI gateway that happens to be terminating 1144 the iSCSI protocol on both sides, rather than translate between 1145 iSCSI and some other transport. Since an iSCSI initiator's 1146 discovery or configuration of a set of targets makes use of 1147 address-independent iSCSI names, iSCSI does not have the same 1148 proxy addressing problems as HTTP, which includes address 1149 information into its URLs. If a proxy is to provide services 1150 to an initiator on behalf of a target, the proxy allows the 1151 initiator to discover its address for the target, and the actual 1152 target device is discovered only by the proxy. Neither the 1153 initiator nor the iSCSI protocol needs to be aware of the 1154 existence of the proxy. 1156 Effects on iSCSI: 1158 - Same as a SCSI gateway. The only other effect is that 1159 iSCSI must separate data integrity checking on iSCSI headers 1160 and iSCSI data, to allow the data integrity check on the 1161 data to be propagated end-to-end through the proxy. 1163 B.5. Stateful Inspection Firewall (stealth iSCSI firewall) 1165 The Stealth model would exist as an iSCSI-aware firewall, that is 1166 invisible to the initiator, but provides capabilities found in the 1167 iSCSI proxy. 1169 Effects on iSCSI: 1171 - Since this is invisible, there are no additional 1172 requirements on the iSCSI protocol for this one. 1174 Voruganti, K. Informational-Track Expires August 2002 1176 Internet Draft Naming and Discovery 26 1178 This one is more difficult in some ways to implement, simply because 1179 it has to be part of a standard firewall product, rather than part of 1180 an iSCSI-type product. 1182 Also note that this type of firewall is only effective in the 1183 outbound direction (allowing an initiator behind the 1184 firewall to connect to an outside target), unless the iSCSI target 1185 is located in a DMZ. It does not provide adequate security 1186 otherwise. 1188 Appendix C 1190 This document has described the creation and use of iSCSI Node Names. 1191 There will be trusted environments where this is a sufficient form of 1192 identification. In these environments the iSCSI Target may have an 1193 Access Control List (ACL), which will contain a list of authorized 1194 entities that are permitted to access a restricted resource (in this 1195 case a Target Storage Controller). The iSCSI Target will then use 1196 that ACL to permit (or not) certain iSCSI Initiators to access the 1197 storage at the iSCSI Target Node. This form of ACL is used to prevent 1198 trusted initiators from making a mistake and connecting to the wrong 1199 storage controller. 1201 It is also possible that the ACL and the iSCSI Initiator Node Name 1202 can be used in conjunction with the SCSI layer for the appropriate 1203 SCSI association of LUNs with the Initiator. The SCSI layer's use 1204 of the ACL will not be discussed further in this document. 1206 There will be situations where the iSCSI Nodes exist in untrusted 1207 environments. That is, some iSCSI Initiator Nodes may be authorized 1208 to access an iSCSI Target Node, however, because of the untrusted 1209 environment, nodes on the network cannot be trusted to give the 1210 correct iSCSI Initiator Node Names. 1212 In untrusted environments an additional type of identification is 1213 required to assure the target that it really knows the identity 1214 of the requesting entity. 1216 The authentication and authorization in the iSCSI layer is 1217 independent of anything that IPSec might handle, underneath 1218 or around the TCP layer. This means that the initiator node 1219 needs to pass some type of security related identification 1220 information (e.g. userid) to a security authentication process 1221 such as SRP, CHAP, Kerberos etc. (These authentication processes 1222 will not be discussed in this document). 1224 Voruganti, K. Informational-Track Expires August 2002 1226 Internet Draft Naming and Discovery 27 1228 Upon the completion of the iSCSI security authentication, the 1229 installation knows "who" sent the request for access. The 1230 installation must then check to ensure that such a request, 1231 from the identified entity, is permitted/authorized. This 1232 form of Authorization is generally accomplished via an Access 1233 Control List (ACL) as described above. Using this authorization 1234 process, the iSCSI target will know that the entity is authorized to 1235 access the iSCSI Target Node. 1237 It may be possible for an installation to set a rule that the security 1238 identification information (e.g. UserID) be equal to the iSCSI 1239 Initiator Node Name. In that case, the ACL approach described above 1240 should be all the authorization that is needed. 1242 If, however, the iSCSI Initiator Node Name is not used as the security 1243 identifier there is a need for more elaborate ACL functionality. This 1244 means that the target requires a mechanism to map the security 1245 identifier (e.g. UserID) information to the iSCSI Initiator Node Name. 1246 That is, the target must be sure that the entity requesting access is 1247 authorized to use the name, which was specified with the Login Keyword 1248 "InitiatorName=". 1249 For example, if security identifier 'Frank' is authorized to access 1250 the target via iSCSI InitiatorName=xxxx, but 'Frank' tries to access the 1251 target via iSCSI InitiatorName=yyyy, then this login should be rejected. 1253 On the other hand, it is possible that 'Frank' is a roaming user (or a 1254 Storage Administrator) that "owns" several different systems, and thus, 1255 could be authorized to access the target via multiple different iSCSI 1256 initiators. In this case, the ACL needs to have the names of all the 1257 initiators through which 'Frank' can access the target. 1259 There may be other more elaborate ACL approaches, which can also be 1260 deployed to provide the installation/user with even more security with 1261 flexibility. 1263 The above discussion is trying to inform the reader that, not only is 1264 there a need for access control dealing with iSCSI Initiator Node Names, 1265 but in certain iSCSI environments there might also be a need for other 1266 complementary security identifiers. 1268 5. References 1269 [1] Pascoe, R., "Building Networks on the Fly", in IEEE 1270 Spectrum,March, 2002. 1272 [2] John, R., "UPnP, Jini and Salutation- A look at some popular 1273 Voruganti, K. Informational-Track Expires August 2002 1275 Internet Draft Naming and Discovery 28 1277 coordination frameworks for future networked devices", 1278 http://www.cswl.com/whiteppr/tech/upnp.html", June 17, 1999. 1280 [3] http://www.srvloc.org 1282 [4] Freed, N., "Behavior of and Requirements for Internet 1283 Firewalls", RFC 2979, October 2000. 1285 [5] ANSI/IEEE Std 802-1990, Name: IEEE Standards for Local and 1286 Metropolitan Area Networks: Overview and Architecture 1288 [6] Kessler, G. and Shepard, S., "A Primer On Internet and TCP/IP 1289 Tools and Utilities", RFC 2151, June 1997. 1291 [7] Satran, J., Sapuntzakis, C., Wakeley, M., Von Stamwitz, P., 1292 Haagens, R., Chadalapaka, M., Zeidner, E., Dalle Ore, L., Klein, 1293 Y., "iSCSI", draft-ietf-ips-iscsi-07.txt, July, 2001. 1295 [8] Gibbons, K., Tseng, J. and Monia, C., "iSNS Internet Storage 1296 Name Service", draft-tseng-ips-isns-04.txt, July 2001. 1298 [9] RFC 1737, "Functional Requirements for Uniform Resource Names". 1300 [10] RFC 1035, "Domain Names - Implementation and Specification". 1301 OUI - "IEEE OUI and Company_Id Assignments", 1302 http://standards.ieee.org/regauth/oui/index.shtml 1304 [11]EUI - "Guidelines for 64-bit Global Identifier (EUI-64) 1305 Registration Authority 1306 http://standards.ieee.org/regauth/oui/tutorials/EUI64.html 1308 [12] RFC 2396, "Uniform Resource Identifiers". 1310 [13] RFC 2276, "Architectural Principles of URN Resolution". 1312 [14] RFC 2483, "URI Resolution Services". 1314 [15] RFC 2141, "URN Syntax". 1316 [16] RFC 2611, "URN Namespace Definition Mechanisms". 1318 [17] RFC 2608, SLP Version 2. 1320 [18] RFC 2610, DHCP Options for the Service Location Protocol. 1322 [19] P. Sarkar et al, "A Standard for Bootstrapping Clients using 1323 Voruganti, K. Informational-Track Expires August 2002 1325 Internet Draft Naming and Discovery 29 1327 the iSCSI Protocol", draft-ietf-ips-iscsi-boot-03. 1329 [21] M. Bakke et al,"Finding iSCSI Targets and Name Servers using 1330 SLP", draft-ietf-ips-iscsi-slp-01.txt, July, 2002. 1332 [22] Sun Microsystems, "Java Language Specification", section 7.7 1333 "Unique Package Names", 2000, 1334 http://java.sun.com/docs/books/jls/second_edition/html/ 1335 jTOC.doc.html. 1337 [23] Flanagan, et. al, "Java in a Nutshell", O'Reilly, 1997. 1339 [24] P. Hoffman, M. Blanchet, "Preparation of Internationalized 1340 Strings", draft-hoffman-stringprep-00.txt, September, 2001. 1342 [25] Unicode Standard Annex #15, "Unicode Normalization Forms", 1343 http://www.unicode.org/unicode/reports/15 1345 [26] M. Bakke, "String Profile for iSCSI Names", 1346 draft-ietf-ips-iscsi-string-prep-00.txt, November 2001. 1348 6. Author's Addresses 1350 Address comments to: 1352 Kaladhar Voruganti 1353 650 Harry Road 1354 IBM Almaden Research 1355 San Jose, CA 1356 USA 1357 Email: kaladhar@us.ibm.com 1359 Mark Bakke 1360 Cisco Systems, Inc. 1361 6450 Wedgwood Road 1362 Maple Grove, MN 55311 1363 Phone: +1 763 398-1054 1364 Email: mbakke@cisco.com 1366 Jim Hafner 1367 IBM Research 1368 Almaden Research Center 1369 650 Harry Road 1370 San Jose, CA 95120 1371 Voruganti, K. Informational-Track Expires August 2002 1373 Internet Draft Naming and Discovery 30 1375 Phone: +1 408-927-1892 1376 Email: hafner@almaden.ibm.com 1378 Josh Tseng 1379 Nishan Systems 1380 3850 North First Street 1381 San Jose, CA 95134 1382 Phone: 408 519-3749 1383 Email: jtseng@nishansystems.com 1385 Marjorie Krueger 1386 Hewlett-Packard Corporation 1387 8000 Foothills Blvd 1388 Roseville, CA 95747-5668, USA 1389 Phone: +1 916 785-2656 1390 Email: marjorie_krueger@hp.com 1392 Phone: (408) 957-4980 1393 Email: todd_sperry@adaptec.com 1395 Voruganti, K. Informational-Track Expires August 2002 1397 Internet Draft Naming and Discovery 31 1399 "Copyright (C) The Internet Society (date). All Rights Reserved. 1400 This document and translations of it may be copied and furnished to 1401 others, and derivative works that comment on or otherwise explain it 1402 or assist in its implementation may be prepared, copied, published 1403 and distributed,in whole or in part, without restriction of any kind, 1404 provided that the above copyright notice and this paragraph are 1405 included on all such copies and derivative works. However, this 1406 document itself may not be modified in any way, Full Copyright 1407 Statement such as by removing the copyright notice or references to 1408 the Internet Society or other Internet organizations, except as 1409 needed for the purpose of developing Internet standards in which case 1410 the procedures for copyrights defined in the Internet Standards 1411 process must be followed, or as required to translate it into 1412 languages other than English. 1414 The limited permissions granted above are perpetual and will not be 1415 revoked by the Internet Society or its successors or assigns. 1417 This document and the information contained herein is provided on an 1418 "As IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 1419 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED , INCLUDING 1420 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 1421 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 1422 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE" 1424 Voruganti, K. Informational-Track Expires August 2002