hey Jim, I really like being able to enable and disable shareiscsi from the zfs, it makes management much easier, but I also need the TPGT functionality.
TPGT is a nessery part of my security policy. 1) physical security 2) switch only accepts a spacific MAC to/from a spacific port (staticly assigned) (prevents MAC spoofing) 3) firewall only permits a given IP if used with the associated MAC (prevents IP spoofing) 4) TPGT only permits a iqn for an associated ip (prevents iqn spoofing). It's slightly harder to make sure all these associations are kept up-to-date, but (AFAIK) it is the only way to prevent the issues with haveing initiators being trusted systems (i suppose exempting Kerberos, but its not feasable for what I need to do). The only attack vector I see remaining, is the good old fastion DOS. (if anyone wants to point out the flaw in my plan, please do). Is there already an RFE for this? Is changeing it planned? If so, do we have an ETA? Thanks, A. Hettinger This message posted from opensolaris.org _______________________________________________ storage-discuss mailing list storage-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/storage-discuss
