--- 1/draft-ietf-dhc-isnsoption-00.txt 2006-02-04 23:04:19.000000000 +0100 +++ 2/draft-ietf-dhc-isnsoption-01.txt 2006-02-04 23:04:19.000000000 +0100 @@ -1,15 +1,15 @@ DHC Josh Tseng - Internet Draft Nishan Systems - - Expires August 2002 February 2002 + Internet Draft Kevin Gibbons + Nishan Systems + Expires January 2003 July 2002 DHCP Options for Internet Storage Name Service Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of [RFC2026]. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -30,26 +30,26 @@ Comments should be sent to the IPS mailing list (ips@ece.cmu.edu) or to the authors. Table of Contents Status of this Memo...................................................1 Comments..............................................................1 Abstract..............................................................2 Conventions used in this document.....................................2 -1.Introduction.......................................................2 -2.iSNS Option for DHCP...............................................3 -3.Security Considerations............................................4 -4.References.........................................................5 -5.Author's Addresses.................................................5 -Full Copyright Statement..............................................6 +1. Introduction......................................................2 +2. iSNS Option for DHCP..............................................3 +3. Security Considerations...........................................6 +4. References........................................................6 +5. Author's Addresses................................................7 +Full Copyright Statement..............................................8 DHCP Option Number for iSNS February 2002 Abstract This document describes the DHCP option to allow iSNS clients devices using DHCP to automatically discover the location of the iSNS server. iSNS provides discovery and management capabilities for iSCSI and Fibre Channel (FCP) storage devices in an enterprise-scale IP storage network. iSNS provides intelligent storage management services comparable to those found in Fibre Channel networks, @@ -124,112 +124,206 @@ 2. iSNS Option for DHCP This option specifies the location of the primary and backup iSNS servers and the subset of iSNS services that will be used by the iSNS client. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Code = TBD | Length | FLAGS | + | Code = TBD | Length | iSNS Function | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | DD Access | Administrative FLAGS | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | a1 | a2 | a3 | a4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | b1 | b2 | b3 | b4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | . . . . | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The iSNS Option specifies a list of IP addresses used by iSNS servers. Length indicates the number of bytes that follow the Length field. - The minimum value for the Length field is 2 in order to account for - the FLAGS field. - - The format of the FLAGS field is shown below: + The minimum value for the Length field is 6 in order to account for + the iSNS Function, Discovery Domain Access, and Administrative Flags + field. + iSNS Function is a bitmap field defining the iSNS server's + operational role (i.e., how the iSNS server is to be used). The + iSNS server's role can be as basic as to provide simple discovery + information, or as significant as to provide IKE/IPSec security DHCP Option Number for iSNS February 2002 + policies and certificates for the use of iSCSI and iFCP devices. The + format of the iSNS Role bit field is shown below: + 1 2 3 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Site-Spec | RESERVED |S|A|H| + | Site-Specific |RESERVED |S|A|E| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Bit field Significance --------- ------------ - 31 Heartbeat - 30 Authorization + 31 Enabled/Disabled + 30 Authorization/Discovery Domains 29 Security - 28-22 RESERVED - 21-16 Site-specific or Vendor-specific use only + 28-24 RESERVED + 23-16 Site-specific or Vendor-specific use only - Heartbeat: Indicates whether the first IP address is the multicast - address for the iSNS heartbeat message. If enabled, then a1-a4 - contains the heartbeat multicast address and b1-b4 contains the IP - address of the primary iSNS server, followed by the IP address(es) - of any backup servers. If disabled, then a1-a4 contains the IP - address of the primary iSNS server, followed by the IP address(es) - of any backup servers. + Enabled/Disabled: This bit determines the validity of the iSNS Role + field. If this bit is enabled, then the contents of the remainder + of the iSNS Role field are valid. If this bit is disabled, then the + contents of the iSNS Role field are invalid. Authorization: Indicates the role of the iSNS server in determining - device access authorizations. If disabled, then the role of the - iSNS server is only for discovery purposes only. Discovery Domains - MAY be used to manage the discovery process, but they do not - indicate necessarily indicate authorization to access discovered - devices. If enabled, then Discovery Domain/Zoning features of the - iSNS indicate device access authorizations. Devices in a common DD - SHALL be allowed access to each other if they are successfully - authenticated. Devices not in a common DD shall not be allowed to - access each other. + device access authorizations. If disabled, then the function of the + iSNS server is for target discovery purposes only. Discovery + Domains MAY be used to manage the discovery process, but they do not + necessarily indicate authorization to access discovered devices. If + enabled, then Discovery Domain/Zoning features of the iSNS indicate + device access authorizations. Devices in a common DD SHALL be + allowed access to each other if they are successfully authenticated. + Devices not in a common DD shall not be allowed to access each + other. Security: Indicates whether the iSNS client is to download and use the security policy configuration stored in the iSNS server. If enabled, then the AuthMethod and IKE/IPSec policy stored in the iSNS server SHALL be used by the iSNS client for its own security policy. If disabled, then the iSNS client SHALL NOT query for its own security policy attributes in the iSNS server. Site-Specific: These bits are used to indicate site-specific or vendor-specific capabilities in the indicated iSNS server. + Discovery Domain Access is a bit field that indicates the types of + iSNS clients that are allowed to modify Discovery Domains. The + format of the DD Access bit field is shown below: + + DHCP Option Number for iSNS February 2002 + + 0 1 2 3 4 5 6 7 + +---+---+---+---+---+---+---+---+ + | R | R | if| tf| is| ts| C | E | + +---+---+---+---+---+---+---+---+ + + Bit field Significance + --------- ------------ + 7 Enabled/Disabled + 6 Control Node + 5 iSCSI Target + 4 iSCSI Initiator + 3 iFCP Target Port + 2 iFCP Initiator Port + 1 RESERVED + 0 RESERVED + + Enabled/Disabled: This bit determines the validity of the DD Access + bit field. If this bit is enabled, then the contents of the + remainder of the DD Access field are valid. If this bit is + disabled, then the contents of this field are invalid. + + Control Node: Determines whether Control Nodes are allowed to add, + delete, or modify Discovery Domains. If enabled, then Control Nodes + are allowed. If disabled, then Control Nodes are not allowed to + modify Discovery Domains. + + iSCSI Target, iSCSI Initiator, iFCP Target Port, and iFCP Initiator + Port: These bits determine whether the respective registered iSNS + client (determined by iSCSI Node Type or iFCP Port Role) is allowed + to add, delete, or modify Discovery Domains. If enabled, then the + respective types of iSNS clients are allowed. If disabled, then + they are not allowed to modify Discovery Domains. + + The Administrative Flags field configures the administrative + settings for the iSNS server discovered through the DHCP option. + The format of the Administrative Flags bit field is as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Site-Specific | RESERVED |D|M|H|E| + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Bit field Significance + --------- ------------ + 31 Enabled/Disabled + 30 Heartbeat + 29 Management SCN's + 28 Default Discovery Domain + 26-8 RESERVED + 7-0 Site-specific or Vendor-specific use only + + Enabled/Disabled: This bit determines the validity of the + Administrative Flags field. If this bit is enabled, then the + DHCP Option Number for iSNS February 2002 + + contents of the remainder of the Administrative Flags field are + valid. If this bit is disabled, then the contents of this field are + invalid, indicating that iSNS administrative settings are configured + through alternative means other than DHCP. + + Heartbeat: Indicates whether the first IP address is the multicast + address for the iSNS heartbeat message. If enabled, then a1-a4 + contains the heartbeat multicast address and b1-b4 contains the IP + address of the primary iSNS server, followed by the IP address(es) + of any backup servers. If disabled, then a1-a4 contains the IP + address of the primary iSNS server, followed by the IP address(es) + of any backup servers. + + Management SCNs: Indicates whether control nodes are authorized to + register to receive Management SCN's. Management SCN's are a + special class of State Change Notification whose scope is the entire + iSNS database. If enabled, then control nodes are authorized to + register to receive Management SCN's. If disabled, then control + nodes are not authorized to receive Management SCN's (although they + may receive normal SCN's). + + Default Discovery Domain: Indicates whether a newly registered + device that is not explicitly placed into a Discovery Domain (DD) + and Discovery Domain Set (DDS) should be automatically placed into a + default DD and DDS. If enabled, then a default DD shall contain all + devices in the iSNS database that have not been explicitly placed + into a DD by an iSNS client. If disabled, then devices not + explicitly placed into a DD are not members of any DD. + 3. Security Considerations DHCP currently provides no authentication or security mechanisms. Potential exposures to attack are discussed in section 7 of the DHCP protocol specification [DHCP]. iSNS security considerations are discussed in [iSNS] and [SEC-IPS]. - DHCP Option Number for iSNS February 2002 - 4. References [DHCP] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, Bucknell University, March 1997. [iSCSI] Satran, J., et al., "iSCSI", Internet draft (work in - progress), draft-ietf-ips-iSCSI-10.txt, January 2002 + progress), draft-ietf-ips-iSCSI-13.txt, June 2002 [iFCP] Monia, C., et al., "iFCP - A Protocol for Internet Fibre Channel Storage Networking", Internet draft (work in - progress), draft-ietf-ips-ifcp-09.txt, January 2002 + progress), draft-ietf-ips-ifcp-11.txt, May 2002 [iSNS] Tseng, J. et al., "iSNS - Internet Storage Name Service", Internet draft (work in progress), draft-ietf- - ips-isns-09.txt, March 2002 + ips-isns-10.txt, May 2002 + DHCP Option Number for iSNS February 2002 [SEC-IPS] Aboba, B., et al., "Securing IP Block Storage - Protocols", draft-ietf-ips-security-09.txt, February - 2002 + Protocols", draft-ietf-ips-security-13.txt, June 2002 [RFC2026] Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026, October 1996. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997 5. Author's Addresses Josh Tseng