A Hettinger wrote: > hey Jim, > > I really like being able to enable and disable shareiscsi from the > zfs, it makes management much easier, but I also need the TPGT > functionality. > > TPGT is a nessery part of my security policy. > 1) physical security > 2) switch only accepts a spacific MAC to/from a spacific port > (staticly assigned) (prevents MAC spoofing) > 3) firewall only permits a given IP if used with the associated > MAC (prevents IP spoofing) > 4) TPGT only permits a iqn for an associated ip (prevents iqn > spoofing). > > It's slightly harder to make sure all these associations are kept > up-to-date, but (AFAIK) it is the only way to prevent the issues > with haveing initiators being trusted systems (i suppose exempting > Kerberos, but its not feasable for what I need to do). The only > attack vector I see remaining, is the good old fastion DOS. (if > anyone wants to point out the flaw in my plan, please do). > > Is there already an RFE for this?
The root cause of this issue, is that the ZFS zvol is the Solaris component offering persistence of this iSCSI Target. ZFS, due to its ease of management, does not support a means to associate iSCSI Target parameters, like TPGT with the shareiscsi attribute of a ZVOL, and rightfully so. You can have ease of management, and complexity like TGPT groups at the same time. If you like the ease of shareiscsi, but wish to add additional iSCSI properties, enable shareiscsi, then issue "iscsitadm list target -v", retain the data, disable shareiscsi, and the configure the target, plus iSCSI properties yourself. > Is changeing it planned? In time, the iSCSI target will be moving into COMSTAR (http:// www.opensolaris.org/os/project/comstar/), at which time the interface between ZFS and iSCSI will be revisited with an eye toward the future. > If so, do we have an ETA? No commitments from me. Jim > > Thanks, > > A. Hettinger > > > This message posted from opensolaris.org > _______________________________________________ > storage-discuss mailing list > storage-discuss@opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/storage-discuss _______________________________________________ storage-discuss mailing list storage-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/storage-discuss
