SCF changes for iSCSI Target PSARC/2007/414 FastTrack [restart]

Tim Szeto Tim.Szeto at sun.com
Wed Sep 12 17:02:23 PDT 2007 

Bill,

Bill Sommerfeld wrote:
> in scf_schema, we find:
>
>   
>> chap_secrets
>>                target_chap             SCF_TYPE_USTRING
>>                initiator_chap          SCF_TYPE_USTRING
>>                radius_chap             SCF_TYPE_USTRING
>>                value_authorization  SCF_TYPE_ASTRING
>>                read_authorization  SCF_TYPE_ASTRING
>>     
>
> vs.
>
>   
>> The chap_secret pgroup contains chap secrets for target, initiators
>> and radius server.  
>>     
>
> vs. (in a later example):
>
> chap_secret
>                 iscsitgt                fasfre4j4j49h33232fhffaieiei
>                 initiator_s6r           fasfre4j4j49h33232fhffaieiei
>                 radius-secret           94jnfjsleoo445
>                 value_authorization     solaris.smf.value.iscsitgt
>                 read_authorization      solaris.smf.read.iscsitgt
>
>
> Is it "chap_secret" or "chap_secrets" ?  
>   
There are many chap secrets, here are the chap secrets:
   -chap secret for the iscsi target
   -1 chap secret per iscsi initiator, we have 1 or more iscsi initiator
   -1 chap secret for the radius server

For the chap_secret PG,  we will have a read_authorization property 
added to the chap_secrets PG.
> It appears that rather than the property names being literally
> "target_chap" and "initiator_chap", the properties are actually given
> the name of the initiator and target property groups, and there could be
> many such attributes in the property group?
>   
Yes.
The property_name of an initiator_chap will be identified by the 
initiator_name, and the initiator_name is unique for each
initiator.
> What prevents the creation of a target or initiator named
> "read_authorization"?
>   
The read_authorization property is created only for the chap_secrets PG.
> what, if anything prevents a name collision between an initiator and a
> target?
>   
When a new target is created, the iscsi target name creation is 
guarantee to be unique.

The initiator name at the iSCSI target is a local name defined by the 
administrator, the initiator
name is verified not already used.
> also, what measures are taken to conform to the requirements of 2007/177
> in terms of additional protection or obfuscation of properties?
>   
We are proposing  the use of base64 encoding to obscure the the chap 
secrets.  I will update
the scf_schema to reflect the obfuscation of the secrets using base64 
encoding.
>   
>> The chap secret is default to NULL.
>>     
>
>   
I do not mean NULL, I mean the chap property_name is not define in the 
chap_secrets PG.

When chap is not define, this means CHAP authentication is not required 
to authenticate the
iscsi initiator and target.
> But there are multiple chap secrets created with dynamic names?
>   
Let me clarify, the chap secret for the target, initiators and radius 
server are created dynamically,
when the administrator creates the chap secret, the PG names of the 
target, initiators and the
radius server are known,  we use these name for the chap property_name 
in the chap_secrets PG.

thanks,
Tim

> 				- Bill
>
>
>
>
>
>

More information about the opensolaris-arc mailing list