Network Working Group M. Bakke Request for Comments: 3721 Cisco Category: Informational J. Hafner J. Hufferd K. Voruganti IBM M. Krueger Hewlett-Packard April 2004
Network Working Group M. Bakke Request for Comments: 3721 Cisco Category: Informational J. Hafner J. Hufferd K. Voruganti IBM M. Krueger Hewlett-Packard April 2004
Internet Small Computer Systems Interface (iSCSI) Naming and Discovery
Internet小型计算机系统接口(iSCSI)命名和发现
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2004). All Rights Reserved.
版权所有(C)互联网协会(2004年)。版权所有。
Abstract
摘要
This document provides examples of the Internet Small Computer Systems Interface (iSCSI; or SCSI over TCP) name construction and discussion of discovery of iSCSI resources (targets) by iSCSI initiators. This document complements the iSCSI protocol document. Flexibility is the key guiding principle behind this document. That is, an effort has been made to satisfy the needs of both small isolated environments, as well as large environments requiring secure/scalable solutions.
本文档提供了Internet小型计算机系统接口(iSCSI;或TCP上的SCSI)名称构造示例,并讨论了iSCSI启动器发现iSCSI资源(目标)的过程。本文档是对iSCSI协议文档的补充。灵活性是本文件背后的关键指导原则。也就是说,已经做出努力来满足小型隔离环境以及需要安全/可扩展解决方案的大型环境的需求。
Table of Contents
目录
1. iSCSI Names and Addresses. . . . . . . . . . . . . . . . . . . 3 1.1. Constructing iSCSI names using the iqn. format . . . . . 5 1.2. Constructing iSCSI names using the eui. format . . . . . 8 2. iSCSI Alias. . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1. Purpose of an Alias. . . . . . . . . . . . . . . . . . . 8 2.2. Target Alias . . . . . . . . . . . . . . . . . . . . . . 9 2.3. Initiator Alias. . . . . . . . . . . . . . . . . . . . . 10 3. iSCSI Discovery. . . . . . . . . . . . . . . . . . . . . . . . 12 4. Security Considerations. . . . . . . . . . . . . . . . . . . . 13 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5.1. Normative References . . . . . . . . . . . . . . . . . . 13 5.2. Informative References . . . . . . . . . . . . . . . . . 14 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14 Appendix A: iSCSI Naming Notes. . . . . . . . . . . . . . . . . . 15 Appendix B: Interaction with Proxies and Firewalls. . . . . . . . 16 B.1. Port Redirector . . . . . . . . . . . . . . . . 16 B.2. SOCKS server. . . . . . . . . . . . . . . . . . 17 B.3. SCSI gateway. . . . . . . . . . . . . . . . . . 17 B.4. iSCSI Proxy . . . . . . . . . . . . . . . . . . 18 B.5. Stateful Inspection Firewall. . . . . . . . . . 18 Appendix C: iSCSI Names and Security Identifiers. . . . . . . . . 19 Authors' Addresses. . . . . . . . . . . . . . . . . . . . . . . . 21 Full Copyright Statement. . . . . . . . . . . . . . . . . . . . . 22
1. iSCSI Names and Addresses. . . . . . . . . . . . . . . . . . . 3 1.1. Constructing iSCSI names using the iqn. format . . . . . 5 1.2. Constructing iSCSI names using the eui. format . . . . . 8 2. iSCSI Alias. . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1. Purpose of an Alias. . . . . . . . . . . . . . . . . . . 8 2.2. Target Alias . . . . . . . . . . . . . . . . . . . . . . 9 2.3. Initiator Alias. . . . . . . . . . . . . . . . . . . . . 10 3. iSCSI Discovery. . . . . . . . . . . . . . . . . . . . . . . . 12 4. Security Considerations. . . . . . . . . . . . . . . . . . . . 13 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5.1. Normative References . . . . . . . . . . . . . . . . . . 13 5.2. Informative References . . . . . . . . . . . . . . . . . 14 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14 Appendix A: iSCSI Naming Notes. . . . . . . . . . . . . . . . . . 15 Appendix B: Interaction with Proxies and Firewalls. . . . . . . . 16 B.1. Port Redirector . . . . . . . . . . . . . . . . 16 B.2. SOCKS server. . . . . . . . . . . . . . . . . . 17 B.3. SCSI gateway. . . . . . . . . . . . . . . . . . 17 B.4. iSCSI Proxy . . . . . . . . . . . . . . . . . . 18 B.5. Stateful Inspection Firewall. . . . . . . . . . 18 Appendix C: iSCSI Names and Security Identifiers. . . . . . . . . 19 Authors' Addresses. . . . . . . . . . . . . . . . . . . . . . . . 21 Full Copyright Statement. . . . . . . . . . . . . . . . . . . . . 22
The main addressable, discoverable entity in iSCSI is an iSCSI Node. An iSCSI node can be either an initiator, a target, or both. The rules for constructing an iSCSI name are specified in [RFC3720].
iSCSI中的主要可寻址、可发现实体是iSCSI节点。iSCSI节点可以是启动器或目标,也可以是两者。[RFC3720]中指定了构造iSCSI名称的规则。
This document provides examples of name construction that might be used by a naming authority.
本文档提供了命名机构可能使用的名称构造示例。
Both targets and initiators require names for the purpose of identification, so that iSCSI storage resources can be managed regardless of location (address). An iSCSI name is the unique identifier for an iSCSI node, and is also the SCSI device name [SAM2] of an iSCSI device. The iSCSI name is the principal object used in authentication of targets to initiators and initiators to targets. This name is also used to identify and manage iSCSI storage resources.
目标和启动器都需要名称以进行标识,因此可以管理iSCSI存储资源,而不考虑位置(地址)。iSCSI名称是iSCSI节点的唯一标识符,也是iSCSI设备的SCSI设备名称[SAM2]。iSCSI名称是用于将目标验证为启动器和将启动器验证为目标的主要对象。此名称还用于标识和管理iSCSI存储资源。
Furthermore, iSCSI names are associated with iSCSI nodes instead of with network adapter cards to ensure the free movement of network HBAs between hosts without loss of SCSI state information (reservations, mode page settings etc) and authorization configuration.
此外,iSCSI名称与iSCSI节点关联,而不是与网络适配器卡关联,以确保网络HBA在主机之间自由移动,而不会丢失SCSI状态信息(保留、模式页面设置等)和授权配置。
An iSCSI node also has one or more addresses. An iSCSI address specifies a single path to an iSCSI node and consists of the iSCSI name, plus a transport (TCP) address which uses the following format:
iSCSI节点还具有一个或多个地址。iSCSI地址指定到iSCSI节点的单一路径,由iSCSI名称和使用以下格式的传输(TCP)地址组成:
<domain-name>[:<port>]
<domain-name>[:<port>]
Where <domain-name> is one of:
其中,<domain name>是以下内容之一:
- IPv4 address, in dotted decimal notation. Assumed if the name contains exactly four numbers, separated by dots (.), where each number is in the range 0..255.
- IPv4地址,以点十进制表示。假设名称正好包含四个数字,由点(.)分隔,其中每个数字的范围为0..255。
- IPv6 address, in colon-separated hexadecimal notation, as specified in [RFC3513] and enclosed in "[" and "]" characters, as specified in [RFC2732].
- IPv6地址,以冒号分隔的十六进制表示法表示,如[RFC3513]所述,并以“[”和“]”字符括起,如[RFC2732]所述。
- Fully Qualified Domain Name (host name). Assumed if the <domain-name> is neither an IPv4 nor an IPv6 address.
- 完全限定域名(主机名)。假设<domain name>既不是IPv4地址,也不是IPv6地址。
For iSCSI targets, the <port> in the address is optional; if specified, it is the TCP port on which the target is listening for connections. If the <port> is not specified, the default port 3260, assigned by IANA, will be assumed. For iSCSI initiators, the <port> is omitted.
对于iSCSI目标,地址中的<port>是可选的;如果指定,则是目标正在侦听连接的TCP端口。如果未指定<port>,将采用IANA分配的默认端口3260。对于iSCSI启动器,省略了<port>。
Examples of addresses:
地址示例:
192.0.2.2 192.0.2.23:5003 [FEDC:BA98:7654:3210:FEDC:BA98:7654:3210] [1080:0:0:0:8:800:200C:417A] [3ffe:2a00:100:7031::1] [1080::8:800:200C:417A] [1080::8:800:200C:417A]:3260 [::192.0.2.5] mydisks.example.com moredisks.example.com:5003
192.0.2.2 192.0.2.23:5003 [FEDC:BA98:7654:3210:FEDC:BA98:7654:3210] [1080:0:0:0:8:800:200C:417A] [3ffe:2a00:100:7031::1] [1080::8:800:200C:417A] [1080::8:800:200C:417A]:3260 [::192.0.2.5] mydisks.example.com moredisks.example.com:5003
The concepts of names and addresses have been carefully separated in iSCSI:
在iSCSI中,名称和地址的概念已被仔细区分:
- An iSCSI Name is a location-independent, permanent identifier for an iSCSI node. An iSCSI node has one iSCSI name, which stays constant for the life of the node. The terms "initiator name" and "target name" also refer to an iSCSI name.
- iSCSI名称是iSCSI节点的独立于位置的永久标识符。iSCSI节点有一个iSCSI名称,该名称在节点的生命周期内保持不变。术语“启动器名称”和“目标名称”也指iSCSI名称。
- An iSCSI Address specifies not only the iSCSI name of an iSCSI node, but also a location of that node. The address consists of a host name or IP address, a TCP port number (for the target), and the iSCSI Name of the node. An iSCSI node can have any number of addresses, which can change at any time, particularly if they are assigned via DHCP.
- iSCSI地址不仅指定iSCSI节点的iSCSI名称,还指定该节点的位置。该地址由主机名或IP地址、TCP端口号(针对目标)和节点的iSCSI名称组成。iSCSI节点可以有任意数量的地址,这些地址可以随时更改,特别是通过DHCP分配的地址。
A similar analogy exists for people. A person in the USA might be:
人们也有类似的类比。在美国的人可能是:
Robert Smith SSN+DateOfBirth: 333-44-5555 14-MAR-1960 Phone: +1 (763) 555.1212 Home Address: 555 Big Road, Minneapolis, MN 55444 Work Address: 222 Freeway Blvd, St. Paul, MN 55333
Robert Smith SSN+出生日期:333-44-5555 14-MAR-1960电话:+1(763)555.1212家庭地址:明尼苏达州明尼阿波利斯大马路555号55444工作地址:明尼苏达州圣保罗高速公路222号55333
In this case, Robert's globally unique name is really his Social Security Number plus Date of Birth. His common name, "Robert Smith", is not guaranteed to be unique. Robert has three locations at which he may be reached; two Physical addresses, and a phone number.
在这种情况下,罗伯特全球唯一的名字实际上是他的社会保险号码加上出生日期。他的共同名字“罗伯特·史密斯”并不一定是独一无二的。罗伯特有三个可以联系到他的地方;两个物理地址和一个电话号码。
In this example, Robert's SSN+DOB is like the iSCSI Name (date of birth is required to disambiguate SSNs that have been reused), his phone number and addresses are analogous to an iSCSI node's TCP addresses, and "Robert Smith" would be a human-friendly label for this person.
在本例中,Robert的SSN+DOB类似于iSCSI名称(需要出生日期来消除重复使用的SSN的歧义),他的电话号码和地址类似于iSCSI节点的TCP地址,“Robert Smith”将是此人的人性化标签。
To assist in providing a more human-readable user interface for devices that contain iSCSI targets and initiators, a target or initiator may also provide an alias. This alias is a simple UTF-8 string, is not globally unique, and is never interpreted or used to identify an initiator or device within the iSCSI protocol. Its use is described further in section 2.
为了帮助为包含iSCSI目标和启动器的设备提供更人性化的用户界面,目标或启动器还可以提供别名。此别名是一个简单的UTF-8字符串,不是全局唯一的,并且从不解释或用于标识iSCSI协议中的启动器或设备。第2节将进一步描述其用途。
The iSCSI naming scheme was constructed to give an organizational naming authority the flexibility to further subdivide the responsibility for name creation to subordinate naming authorities. The iSCSI qualified name format is defined in [RFC3720] and contains (in order):
iSCSI命名方案的构建旨在为组织命名机构提供灵活性,使其能够将创建名称的责任进一步细分为下级命名机构。iSCSI限定名称格式在[RFC3720]中定义,并包含(按顺序):
- The string "iqn."
- 字符串“iqn”
- A date code specifying the year and month in which the organization registered the domain or sub-domain name used as the naming authority string.
- 日期代码,指定组织注册用作命名机构字符串的域名或子域名的年份和月份。
- The organizational naming authority string, which consists of a valid, reversed domain or subdomain name.
- 组织命名机构字符串,由有效的反向域名或子域名称组成。
- Optionally, a ':', followed by a string of the assigning organization's choosing, which must make each assigned iSCSI name unique.
- (可选)一个“:”,后跟分配组织选择的字符串,该字符串必须使每个分配的iSCSI名称唯一。
The following is an example of an iSCSI qualified name from an equipment vendor:
以下是设备供应商提供的iSCSI限定名称示例:
Organizational Subgroup Naming Authority Naming and/or string Defined by Type Date Auth Org. or Local Naming Authority +--++-----+ +---------+ +--------------------------------+ | || | | | | |
Organizational Subgroup Naming Authority Naming and/or string Defined by Type Date Auth Org. or Local Naming Authority +--++-----+ +---------+ +--------------------------------+ | || | | | | |
iqn.2001-04.com.example:diskarrays-sn-a8675309
iqn.2001-04.com.示例:diskarrays-sn-a8675309
Where:
哪里:
"iqn" specifies the use of the iSCSI qualified name as the authority.
“iqn”指定使用iSCSI限定名称作为授权。
"2001-04" is the year and month on which the naming authority acquired the domain name used in this iSCSI name. This is used to ensure that when domain names are sold or transferred to another organization, iSCSI names generated by these organizations will be unique.
“2001-04”是命名机构获取此iSCSI名称中使用的域名的年份和月份。这用于确保在向其他组织出售或传输域名时,这些组织生成的iSCSI名称将是唯一的。
"com.example" is a reversed DNS name, and defines the organizational naming authority. The owner of the DNS name "example.com" has the sole right of use of this name as this part of an iSCSI name, as well as the responsibility to keep the remainder of the iSCSI name unique. In this case, example.com happens to manufacture disk arrays.
“com.example”是一个反向DNS名称,定义了组织命名机构。DNS名称“example.com”的所有者有权将此名称用作iSCSI名称的这一部分,并有责任保持iSCSI名称的其余部分唯一。在这种情况下,example.com恰好生产磁盘阵列。
"diskarrays" was picked arbitrarily by example.com to identify the disk arrays they manufacture. Another product that ACME makes might use a different name, and have its own namespace independent of the disk array group. The owner of "example.com" is responsible for keeping this structure unique.
example.com任意选取“diskarrays”来识别他们制造的磁盘阵列。ACME制造的另一个产品可能使用不同的名称,并且具有独立于磁盘阵列组的名称空间。“example.com”的所有者负责保持此结构的唯一性。
"sn" was picked by the disk array group of ACME to show that what follows is a serial number. They could have just assumed that all iSCSI Names are based on serial numbers, but they thought that perhaps later products might be better identified by something else. Adding "sn" was a future-proof measure.
ACME的磁盘阵列组选择了“sn”,以显示下面是一个序列号。他们本可以假设所有iSCSI名称都基于序列号,但他们认为也许以后的产品可以通过其他方式更好地识别。添加“sn”是一种未来的证明措施。
"a8675309" is the serial number of the disk array, uniquely identifying it from all other arrays.
“a8675309”是磁盘阵列的序列号,唯一地将其与所有其他阵列区分开来。
Another example shows how the ':' separator helps owners of sub-domains to keep their name spaces unique:
另一个示例显示了“:”分隔符如何帮助子域所有者保持其名称空间的唯一性:
Naming Defined by Type Date Authority Naming Authority +--++-----+ +-----------------+ +-----------+ | || | | | | |
Naming Defined by Type Date Authority Naming Authority +--++-----+ +-----------------+ +-----------+ | || | | | | |
iqn.2001-04.com.example.storage:tape.sys1.xyz
iqn.2001-04.com.example.storage:tape.sys1.xyz
Naming Defined by Type Date Authority Naming Authority +--++-----+ +----------------------+ +-----------+ | || | | | | |
Naming Defined by Type Date Authority Naming Authority +--++-----+ +----------------------+ +-----------+ | || | | | | |
iqn.2001-04.com.example.storage.tape:sys1.xyz
iqn.2001-04.com.example.storage.tape:sys1.xyz
Note that, except for the ':' separator, both names are identical. The first was assigned by the owner of the subdomain "storage.example.com"; the second was assigned by the owner of "tape.storage.example.com". These are both legal names, and are unique.
请注意,除了“:”分隔符外,这两个名称都是相同的。第一个由子域“storage.example.com”的所有者分配;第二个是由“tape.storage.example.com”的所有者分配的。这两个名称都是法定名称,并且都是唯一的。
The following is an example of a name that might be constructed by a research organization:
以下是研究组织可能构建的名称示例:
Naming Defined by Defined by Type Date Authority cs dept User "oaks" +-+ +-----+ +------------+ +--------+ +-----------+ | | | | | | | | | | iqn.2000-02.edu.example.cs:users.oaks:proto.target4
Naming Defined by Defined by Type Date Authority cs dept User "oaks" +-+ +-----+ +------------+ +--------+ +-----------+ | | | | | | | | | | iqn.2000-02.edu.example.cs:users.oaks:proto.target4
In the above example, Professor Oaks of Example University is building research prototypes of iSCSI targets. EU's computer science department allows each user to use his or her user name as a naming authority for this type of work, by attaching "users.<username>" after the ':', and another ':', followed by a string of the user's choosing (the user is responsible for making this part unique). Professor Oaks chose to use "proto.target4" for this particular target.
在上面的示例中,example University的Oaks教授正在构建iSCSI目标的研究原型。欧盟计算机科学部允许每个用户使用其用户名作为此类工作的命名机构,方法是在“:”后面附加“users.<username>”,再附加一个“:”,后跟用户选择的字符串(用户负责使此部分唯一)。Oaks教授选择使用“proto.target4”作为这个特定的目标。
The following is an example of an iSCSI name string from a storage service provider:
以下是存储服务提供商提供的iSCSI名称字符串示例:
Organization String Naming Defined by Org. Type Date Authority Naming Authority +-+ +-----+ +-------------+ +----------------------+ | | | | | | | | iqn.1995-11.com.example.ssp:customers.4567.disks.107
Organization String Naming Defined by Org. Type Date Authority Naming Authority +-+ +-----+ +-------------+ +----------------------+ | | | | | | | | iqn.1995-11.com.example.ssp:customers.4567.disks.107
In this case, a storage service provider (ssp.example.com) has decided to re-name the targets from the manufacturer, to provide the flexibility to move the customer's data to a different storage subsystem should the need arise.
在这种情况下,存储服务提供商(ssp.example.com)已决定从制造商处重新命名目标,以便在需要时灵活地将客户的数据移动到不同的存储子系统。
The Storage Service Provider (SSP) has configured the iSCSI Name on this particular target for one of its customers, and has determined that it made the most sense to track these targets by their Customer ID number and a disk number. This target was created for use by customer #4567, and is the 107th target configured for this customer.
存储服务提供商(SSP)已为此特定目标为其一位客户配置了iSCSI名称,并确定通过客户ID号和磁盘号跟踪这些目标最有意义。此目标是为客户4567创建的,是为此客户配置的第107个目标。
Note that when reversing these domain names, the first component (after the "iqn.") will always be a top-level domain name, which includes "com", "edu", "gov", "org", "net", "mil", or one of the
请注意,在反转这些域名时,第一个组件(在“iqn”之后)将始终是顶级域名,其中包括“com”、“edu”、“gov”、“org”、“net”、“mil”或
two-letter country codes. The use of anything else as the first component of these names is not allowed. In particular, companies generating these names must not eliminate their "com." from the string.
两个字母的国家代码。不允许将任何其他内容用作这些名称的第一个组成部分。尤其是,生成这些名称的公司不得从字符串中删除其“com.”。
Again, these iSCSI names are NOT addresses. Even though they make use of DNS domain names, they are used only to specify the naming authority. An iSCSI name contains no implications of the iSCSI target or initiator's location. The use of the domain name is only a method of re-using an already ubiquitous name space.
同样,这些iSCSI名称不是地址。尽管它们使用DNS域名,但它们仅用于指定命名机构。iSCSI名称不包含iSCSI目标或启动器位置的含义。域名的使用只是重新使用已经无处不在的名称空间的一种方法。
The iSCSI eui. naming format allows a naming authority to use IEEE EUI-64 identifiers in constructing iSCSI names. The details of constructing EUI-64 identifiers are specified by the IEEE Registration Authority (see [EUI64]).
欧洲联盟。命名格式允许命名机构在构造iSCSI名称时使用IEEE EUI-64标识符。构造EUI-64标识符的详细信息由IEEE注册机构规定(见[EUI64])。
Example iSCSI name:
示例iSCSI名称:
Type EUI-64 identifier (ASCII-encoded hexadecimal) +--++--------------+ | || | eui.02004567A425678D
Type EUI-64 identifier (ASCII-encoded hexadecimal) +--++--------------+ | || | eui.02004567A425678D
The iSCSI alias is a UTF-8 text string that may be used as an additional descriptive name for an initiator and target. This may not be used to identify a target or initiator during login, and does not have to follow the uniqueness or other requirements of the iSCSI name. The alias strings are communicated between the initiator and target at login, and can be displayed by a user interface on either end, helping the user tell at a glance whether the initiators and/or targets at the other end appear to be correct. The alias must NOT be used to identify, address, or authenticate initiators and targets.
iSCSI别名是UTF-8文本字符串,可用作启动器和目标的附加描述性名称。在登录期间,这可能不用于标识目标或启动器,并且不必遵循iSCSI名称的唯一性或其他要求。别名字符串在登录时在启动器和目标之间进行通信,并可通过两端的用户界面显示,帮助用户一目了然地判断另一端的启动器和/或目标是否正确。别名不得用于标识、寻址或验证启动器和目标。
The alias is a variable length string, between 0 and 255 characters, and is terminated with at least one NULL (0x00) character, as defined in [RFC3720]. No other structure is imposed upon this string.
别名是一个长度可变的字符串,介于0到255个字符之间,并至少以一个NULL(0x00)字符终止,如[RFC3720]中所定义。此字符串上没有其他结构。
Initiators and targets are uniquely identified by an iSCSI Name. These identifiers may be assigned by a hardware or software manufacturer, a service provider, or even the customer. Although these identifiers are nominally human-readable, they are likely to be assigned from a point of view different from that of the other side
启动器和目标由iSCSI名称唯一标识。这些标识符可以由硬件或软件制造商、服务提供商甚至客户分配。尽管这些标识符名义上是人类可读的,但它们很可能是从与另一方不同的角度分配的
of the connection. For instance, a target name for a disk array may be built from the array's serial number, and some sort of internal target ID. Although this would still be human-readable and transcribable, it offers little assurance to someone at a user interface who would like to see "at-a-glance" whether this target is really the correct one.
连接的一部分。例如,磁盘阵列的目标名称可以根据阵列的序列号和某种内部目标ID构建。尽管这仍然是人类可读和可转录的,但对于用户界面上希望“一目了然”地查看此目标是否正确的人来说,这并不能提供什么保证。
The use of an alias helps solve that problem. An alias is simply a descriptive name that can be assigned to an initiator or target, that is independent of the name, and does not have to be unique. Since it is not unique, the alias must be used in a purely informational way. It may not be used to specify a target at login, or used during authentication.
使用别名有助于解决该问题。别名只是一个描述性名称,可以分配给启动器或目标,它独立于名称,并且不必是唯一的。由于别名不是唯一的,因此必须以纯粹的信息方式使用别名。它不能用于在登录时指定目标,也不能在身份验证期间使用。
Both targets and initiators may have aliases.
目标和启动器都可能有别名。
To show the utility of an alias, here is an example using an alias for an iSCSI target.
为了展示别名的实用性,下面是一个将别名用于iSCSI目标的示例。
Imagine sitting at a desktop station that is using some iSCSI devices over a network. The user requires another iSCSI disk, and calls the storage services person (internal or external), giving any authentication information that the storage device will require for the host. The services person allocates a new target for the host, and sends the Target Name for the new target, and probably an address, back to the user. The user then adds this Target Name to the configuration file on the host, and discovers the new device.
想象一下,坐在通过网络使用某些iSCSI设备的桌面工作站上。用户需要另一个iSCSI磁盘,并致电存储服务人员(内部或外部),提供存储设备对主机所需的任何身份验证信息。服务人员为主机分配一个新目标,并将新目标的目标名称(可能还有地址)发送回用户。然后,用户将此目标名称添加到主机上的配置文件中,并发现新设备。
Without an alias, a user managing an iSCSI host would click on some sort of management "show targets" button to show the targets to which the host is currently connected.
如果没有别名,管理iSCSI主机的用户将单击某种管理“显示目标”按钮以显示主机当前连接的目标。
+--Connected-To-These-Targets---------------------- | | Target Name | | iqn.1995-04.com.example:sn.5551212.target.450 | iqn.1995-04.com.example:sn.5551212.target.489 | iqn.1995-04.com.example:sn.8675309 | iqn.2001-04.com.example.storage:tape.sys1.xyz | iqn.2001-04.com.example.storage.tape:sys1.xyz | +--------------------------------------------------
+--Connected-To-These-Targets---------------------- | | Target Name | | iqn.1995-04.com.example:sn.5551212.target.450 | iqn.1995-04.com.example:sn.5551212.target.489 | iqn.1995-04.com.example:sn.8675309 | iqn.2001-04.com.example.storage:tape.sys1.xyz | iqn.2001-04.com.example.storage.tape:sys1.xyz | +--------------------------------------------------
In the above example, the user sees a collection of iSCSI Names, but with no real description of what they are for. They will, of course, map to a system-dependent device file or drive letter, but it's not easy looking at numbers quickly to see if everything is there.
在上面的示例中,用户看到了iSCSI名称的集合,但没有真正描述它们的用途。当然,它们会映射到依赖于系统的设备文件或驱动器号,但要快速查看数字以确定是否所有内容都存在并不容易。
If a storage administrator configures an alias for each target name, the alias can provide a more descriptive name. This alias may be sent back to the initiator as part of the login response, or found in the iSCSI MIB. It then might be used in a display such as the following:
如果存储管理员为每个目标名称配置别名,则该别名可以提供更具描述性的名称。此别名可以作为登录响应的一部分发送回启动器,也可以在iSCSI MIB中找到。然后,它可能会用于如下显示:
+--Connected-To-These-Targets---------------------- | | Alias Target Name | | Oracle 1 iqn.1995-04.com.example:sn.5551212.target.450 | Local Disk iqn.1995-04.com.example:sn.5551212.target.489 | Exchange 2 iqn.1995-04.com.example:sn.8675309 | +--------------------------------------------------
+--Connected-To-These-Targets---------------------- | | Alias Target Name | | Oracle 1 iqn.1995-04.com.example:sn.5551212.target.450 | Local Disk iqn.1995-04.com.example:sn.5551212.target.489 | Exchange 2 iqn.1995-04.com.example:sn.8675309 | +--------------------------------------------------
This would give the user a better idea of what's really there.
这会让用户更好地了解实际情况。
In general, flexible, configured aliases will probably be supported by larger storage subsystems and configurable gateways. Simpler devices will likely not keep configuration data around for things such as an alias. The TargetAlias string could be either left unsupported (not given to the initiator during login) or could be returned as whatever the "next best thing" that the target has that might better describe it. Since it does not have to be unique, it could even return SCSI inquiry string data.
一般来说,更大的存储子系统和可配置网关可能支持灵活、配置的别名。较简单的设备可能不会保留别名之类的配置数据。TargetAlias字符串可以不受支持(登录时未提供给启动器),也可以作为目标的“下一个最好的东西”返回,这可能会更好地描述它。因为它不必是唯一的,所以它甚至可以返回SCSI查询字符串数据。
Note that if a simple initiator does not wish to keep or display alias information, it can be simply ignored if seen in the login response.
请注意,如果简单启动器不希望保留或显示别名信息,则只要在登录响应中看到它,就可以忽略它。
An initiator alias can be used in the same manner as a target alias. An initiator may send the alias in a login request, when it sends its iSCSI Initiator Name. The alias is not used for authentication, but may be kept with the session information for display through a management Graphical User Interface (GUI) or command-line interface (for a more complex subsystem or gateway), or through the iSCSI MIB.
启动器别名的使用方式与目标别名相同。启动器在发送其iSCSI启动器名称时,可以在登录请求中发送别名。别名不用于身份验证,但可以与会话信息一起保存,以便通过管理图形用户界面(GUI)或命令行界面(对于更复杂的子系统或网关)或iSCSI MIB显示。
Note that a simple target can just ignore the Initiator Alias if it has no management interface on which to display it.
请注意,如果简单目标没有显示启动器别名的管理界面,那么它可以忽略启动器别名。
Usually just the hostname would be sufficient for an initiator alias, but a custom alias could be configured for the sake of the service provider if needed. Even better would be a description of what the machine was used for, such as "Exchange Server 1", or "User Web Server".
通常,对于启动器别名,仅主机名就足够了,但如果需要,可以为服务提供商配置自定义别名。更好的方法是描述机器的用途,例如“ExchangeServer1”或“用户Web服务器”。
Here's an example of a management interface showing a list of sessions on an iSCSI target network entity. For this display, the targets are using an internal target number, which is a fictional field that has purely internal significance.
下面是一个管理界面示例,显示iSCSI目标网络实体上的会话列表。对于此显示,目标使用内部目标编号,这是一个虚构的字段,具有纯内部意义。
+--Connected-To-These-Initiators------------------- | | Target Initiator Name | | 450 iqn.1995-04.com.example.sw:cd.12345678-OEM-456 | 451 iqn.1995-04.com.example.os:hostid.A598B45C | 309 iqn.1995-04.com.example.sw:cd.87654321-OEM-259 | +--------------------------------------------------
+--Connected-To-These-Initiators------------------- | | Target Initiator Name | | 450 iqn.1995-04.com.example.sw:cd.12345678-OEM-456 | 451 iqn.1995-04.com.example.os:hostid.A598B45C | 309 iqn.1995-04.com.example.sw:cd.87654321-OEM-259 | +--------------------------------------------------
And with the initiator alias displayed:
并显示启动器别名:
+--Connected-To-These-Initiators------------------- | | Target Alias Initiator Name | | 450 Web Server 4 iqn.1995-04.com.example.sw:cd.12... | 451 scsigw.example.com iqn.1995-04.com.example.os:hosti... | 309 Exchange Server iqn.1995-04.com.example.sw:cd.87... | +--------------------------------------------------
+--Connected-To-These-Initiators------------------- | | Target Alias Initiator Name | | 450 Web Server 4 iqn.1995-04.com.example.sw:cd.12... | 451 scsigw.example.com iqn.1995-04.com.example.os:hosti... | 309 Exchange Server iqn.1995-04.com.example.sw:cd.87... | +--------------------------------------------------
This gives the storage administrator a better idea of who is connected to their targets. Of course, one could always do a reverse DNS lookup of the incoming IP address to determine a host name, but simpler devices really don't do well with that particular feature due to blocking problems, and it won't always work if there is a firewall or iSCSI gateway involved.
这使存储管理员能够更好地了解谁连接到了他们的目标。当然,可以对传入的IP地址进行反向DNS查找以确定主机名,但由于阻塞问题,较简单的设备确实不能很好地使用该特定功能,而且如果涉及防火墙或iSCSI网关,它也不会始终工作。
Again, these are purely informational and optional and require a management application.
同样,这些都是纯粹的信息和可选的,需要一个管理应用程序。
Aliases are extremely easy to implement. Targets just send a TargetAlias whenever they send a TargetName. Initiators just send an InitiatorAlias whenever they send an InitiatorName. If an alias is received that does not fit, or seems invalid in any way, it is ignored.
别名非常容易实现。目标只要发送一个TargetName就发送一个TargetAlias。发起者只要发送一个InitiatorName,就会发送一个InitiatorAlias。如果接收到的别名不合适,或在任何方面都无效,则将忽略该别名。
The goal of iSCSI discovery is to allow an initiator to find the targets to which it has access, and at least one address at which each target may be accessed. This should generally be done using as little configuration as possible. This section defines the discovery mechanism only; no attempt is made to specify central management of iSCSI devices within this document. Moreover, the iSCSI discovery mechanisms listed here only deal with target discovery and one still needs to use the SCSI protocol for LUN discovery.
iSCSI发现的目标是让启动器能够找到它可以访问的目标,以及至少一个可以访问每个目标的地址。这通常应该尽可能少地使用配置来完成。本节仅定义发现机制;本文档中未尝试指定iSCSI设备的中央管理。此外,此处列出的iSCSI发现机制只处理目标发现,仍然需要使用SCSI协议进行LUN发现。
In order for an iSCSI initiator to establish an iSCSI session with an iSCSI target, the initiator needs the IP address, TCP port number and iSCSI target name information. The goal of iSCSI discovery mechanisms are to provide low overhead support for small iSCSI setups, and scalable discovery solutions for large enterprise setups. Thus, there are several methods that may be used to find targets ranging from configuring a list of targets and addresses on each initiator and doing no discovery at all, to configuring nothing on each initiator, and allowing the initiator to discover targets dynamically. The various discovery mechanisms differ in their assumptions about what information is already available to the initiators and what information needs to be still discovered.
为了让iSCSI启动器与iSCSI目标建立iSCSI会话,启动器需要IP地址、TCP端口号和iSCSI目标名称信息。iSCSI发现机制的目标是为小型iSCSI设置提供低开销支持,并为大型企业设置提供可扩展的发现解决方案。因此,有几种方法可用于查找目标,从在每个启动器上配置目标和地址的列表而不进行任何查找,到在每个启动器上不进行任何配置,以及允许启动器动态查找目标。不同的发现机制在关于启动器已经可以获得哪些信息以及哪些信息需要继续被发现的假设上有所不同。
iSCSI supports the following discovery mechanisms:
iSCSI支持以下发现机制:
a. Static Configuration: This mechanism assumes that the IP address, TCP port and the iSCSI target name information are already available to the initiator. The initiators need to perform no discovery in this approach. The initiator uses the IP address and the TCP port information to establish a TCP connection, and it uses the iSCSI target name information to establish an iSCSI session. This discovery option is convenient for small iSCSI setups.
a. 静态配置:此机制假定IP地址、TCP端口和iSCSI目标名称信息已可供启动器使用。在这种方法中,启动器不需要执行发现。启动器使用IP地址和TCP端口信息建立TCP连接,并使用iSCSI目标名称信息建立iSCSI会话。此发现选项适用于小型iSCSI设置。
b. SendTargets: This mechanism assumes that the target's IP address and TCP port information are already available to the initiator. The initiator then uses this information to establish a discovery session to the Network Entity. The initiator then subsequently issues the SendTargets text command to query information about the iSCSI targets available at the particular Network Entity (IP address). SendTargets command details can be found in the iSCSI document [RFC3720]. This discovery option is convenient for iSCSI gateways and routers.
b. SendTargets:此机制假定目标的IP地址和TCP端口信息已可供启动器使用。然后,启动器使用此信息建立与网络实体的发现会话。然后,启动器发出SendTargets文本命令,以查询特定网络实体(IP地址)上可用的iSCSI目标的相关信息。SendTargets命令详细信息可在iSCSI文档[RFC3720]中找到。此发现选项对于iSCSI网关和路由器非常方便。
c. Zero-Configuration: This mechanism assumes that the initiator does not have any information about the target. In this option, the initiator can either multicast discovery messages directly to the
c. 零配置:此机制假定启动器没有任何关于目标的信息。在该选项中,启动器可以将发现消息直接多播到
targets or it can send discovery messages to storage name servers. Currently, there are many general purpose discovery frameworks available such as Salutation [John], Jini [John], UPnP [John], SLP [RFC2608] and iSNS [iSNS]. However, with respect to iSCSI, SLP can clearly perform the needed discovery functions [iSCSI-SLP], while iSNS [iSNS] can be used to provide related management functions including notification, access management, configuration, and discovery management. iSCSI equipment that need discovery functions beyond SendTargets should at least implement SLP, and then consider iSNS when extended discovery management capabilities are required such as in larger storage networks. It should be noted that since iSNS will support SLP, iSNS can be used to help manage the discovery information returned by SLP.
目标或它可以向存储名称服务器发送发现消息。目前,有许多通用的发现框架可用,如Sallation[John]、Jini[John]、UPnP[John]、SLP[RFC2608]和iSNS[iSNS]。但是,对于iSCSI,SLP显然可以执行所需的发现功能[iSCSI SLP],而iSNS[iSNS]可以用于提供相关的管理功能,包括通知、访问管理、配置和发现管理。需要SunDebug之外的发现功能的iSCSI设备至少应该实现SLP,然后在需要扩展的发现管理能力时需要考虑ISN,例如在更大的存储网络中。需要注意的是,由于iSNS将支持SLP,因此iSNS可用于帮助管理SLP返回的发现信息。
Most security issues relating to iSCSI naming are discussed in the main iSCSI document [RFC3720] and the iSCSI security document [RFC3723].
主要iSCSI文档[RFC3720]和iSCSI安全文档[RFC3723]中讨论了与iSCSI命名相关的大多数安全问题。
In addition, Appendix B discusses naming and discovery issues when gateways, proxies, and firewalls are used to solve security or discovery issues in some situations where iSCSI is deployed.
此外,附录B讨论了在部署iSCSI的某些情况下,使用网关、代理和防火墙解决安全或发现问题时的命名和发现问题。
iSCSI allows several different authentication methods to be used. For many of these methods, an authentication identifier is used, which may be different from the iSCSI node name of the entity being authenticated. This is discussed in more detail in Appendix C.
iSCSI允许使用几种不同的身份验证方法。对于这些方法中的许多方法,都使用了身份验证标识符,该标识符可能不同于正在进行身份验证的实体的iSCSI节点名称。附录C对此进行了更详细的讨论。
[RFC3720] Satran, J., Meth, K., Sapuntzakis, C. Chadalapaka, M. and E. Zeidner, "Internet Small Computer Systems Interface (iSCSI)", RFC 3720, April 2004.
[RFC3720]Satran,J.,Meth,K.,Sapuntzakis,C.Chadalapaka,M.和E.Zeidner,“互联网小型计算机系统接口(iSCSI)”,RFC 3720,2004年4月。
[EUI64] EUI - "Guidelines for 64-bit Global Identifier (EUI-64) Registration Authority, http://standards.ieee.org/regauth/oui/tutorials/ EUI64.html
[EUI64] EUI - "Guidelines for 64-bit Global Identifier (EUI-64) Registration Authority, http://standards.ieee.org/regauth/oui/tutorials/ EUI64.html
[SAM2] R. Weber et al, INCITS T10 Project 1157-D revision 24, "SCSI Architectural Model - 2 (SAM-2)", Section 4.7.6 "SCSI device name", September 2002.
[SAM2]R.Weber等人,INCITS T10项目1157-D第24版,“SCSI体系结构模型-2(SAM-2)”,第4.7.6节“SCSI设备名称”,2002年9月。
[RFC2608] Guttman, E., Perkins, C., Veizades, J. and M. Day, "SLP Version 2", RFC 2608, June 1999.
[RFC2608]Guttman,E.,Perkins,C.,Veizades,J.和M.Day,“SLP版本2”,RFC 26081999年6月。
[RFC2732] Hinden, R., Carpenter, B. and L. Masinter, "Format for Literal IPv6 Addresses in URL's", RFC 2732, December 1999.
[RFC2732]Hinden,R.,Carpenter,B.和L.Masinter,“URL中文字IPv6地址的格式”,RFC 2732,1999年12月。
[RFC2979] Freed, N., "Behavior of and Requirements for Internet Firewalls", RFC 2979, October 2000.
[RFC2979]弗里德,N.,“互联网防火墙的行为和要求”,RFC 2979,2000年10月。
[RFC3303] Srisuresh, P., Kuthan, J., Rosenberg, J., Molitor, A. and A. Rayhan, "Middlebox Communication Architecture and Framework", RFC 3303, August 2002.
[RFC3303]Srisuresh,P.,Kuthan,J.,Rosenberg,J.,Molitor,A.和A.Rayhan,“中间箱通信架构和框架”,RFC 3303,2002年8月。
[RFC3513] Hinden, R. and S. Deering, "Internet Protocol Version 6 Addressing Architecture", RFC 3513, April 2003.
[RFC3513]Hinden,R.和S.Deering,“互联网协议版本6寻址体系结构”,RFC 3513,2003年4月。
[RFC3723] Aboba, B., Tseng, J., Walker, J., Rangan, V. and F. Travostino, "Securing Block Storage Protocols over IP", RFC 3723, April 2004.
[RFC3723]Aboba,B.,Tseng,J.,Walker,J.,Rangan,V.和F.Travostino,“通过IP保护块存储协议”,RFC 37232004年4月。
[iSCSI-SLP] Bakke, M., et al., "Finding iSCSI Targets and Name Servers using SLP", Work in Progress, March 2003.
[iSCSI SLP]Bakke,M.,等人,“使用SLP查找iSCSI目标和名称服务器”,正在进行的工作,2003年3月。
[iSNS] Tseng, J., et al., "Internet Storage Name Service (iSNS)", Work in Progress, January 2003.
[iSNS]Tseng,J.等,“互联网存储名称服务(iSNS)”,正在进行的工作,2003年1月。
[John] R. John, "UPnP, Jini and Salutation- A look at some popular coordination frameworks for future networked devices", http://www.cswl.com/whiteppr/tech/upnp.html", June 17, 1999.
[John]R.John,“UPnP、Jini和Salitation——未来网络设备的一些流行协调框架研究”,http://www.cswl.com/whiteppr/tech/upnp.html“,1999年6月17日。
Joe Czap (IBM), Howard Hall (Pirus), Jack Harwood (EMC), Yaron Klein (SANRAD), Larry Lamers (Adaptec), Josh Tseng (Nishan Systems), and Todd Sperry (Adaptec) have participated and made contributions during development of this document.
Joe Czap(IBM)、Howard Hall(Pirus)、Jack Harwood(EMC)、Yaron Klein(SANRAD)、Larry Lamers(Adaptec)、Josh Tseng(Nishan Systems)和Todd Sperry(Adaptec)在本文档的开发过程中参与并做出了贡献。
Appendix A: iSCSI Naming Notes
附录A:iSCSI命名说明
Some iSCSI Name Examples for Targets
目标的一些iSCSI名称示例
- Assign to a target based on controller serial number
- 根据控制器序列号分配给目标
iqn.2001-04.com.example:diskarray.sn.8675309
iqn.2001-04.com.示例:diskarray.sn.8675309
- Assign to a target based on serial number
- 根据序列号分配给目标
iqn.2001-04.com.example:diskarray.sn.8675309.oracle-db-1
iqn.2001-04.com.示例:diskarray.sn.8675309.oracle-db-1
Where oracle-db-1 might be a target label assigned by a user.
其中oracle-db-1可能是用户分配的目标标签。
This would be useful for a controller that can present different logical targets to different hosts.
这对于可以向不同主机呈现不同逻辑目标的控制器非常有用。
Obviously, any naming authority may come up with its own scheme and hierarchy for these names, and be just as valid.
显然,任何命名机构都可能为这些名称提出自己的方案和层次结构,并且同样有效。
A target iSCSI Name should never be assigned based on interface hardware, or other hardware that can be swapped and moved to other devices.
决不能基于接口硬件或可交换并移动到其他设备的其他硬件来分配目标iSCSI名称。
Some iSCSI Name Examples for Initiators
启动器的一些iSCSI名称示例
- Assign to the OS image by fully qualified host name
- 按完全限定的主机名分配给操作系统映像
iqn.2001-04.com.example.os:dns.com.customer1.host-four
iqn.2001-04.com.example.os:dns.com.customer1.host-four
Note the use of two FQDNs - that of the naming authority and also that of the host that is being named. This can cause problems, due to limitations imposed on the size of the iSCSI Name.
请注意使用了两个FQDN—命名机构的FQDN和正在命名的主机的FQDN。由于iSCSI名称的大小受到限制,这可能会导致问题。
- Assign to the OS image by OS install serial number
- 按操作系统安装序列号分配给操作系统映像
iqn.2001-04.com.example.os:newos5.12345-OEM-0067890-23456
iqn.2001-04.com.example.os:newos5.12345-OEM-0067890-23456
Note that this breaks if an install CD is used more than once. Depending on the O/S vendor's philosophy, this might be a feature.
请注意,如果一张安装CD被多次使用,则会中断。根据O/S供应商的理念,这可能是一项功能。
- Assign to the Raid Array by a service provider
- 由服务提供商分配给Raid阵列
iqn.2001-04.com.example.myssp:users.mbakke05657
iqn.2001-04.com.example.myssp:users.mbakke05657
Appendix B: Interaction with Proxies and Firewalls
附录B:与代理和防火墙的交互
iSCSI has been designed to allow SCSI initiators and targets to communicate over an arbitrary IP network. This means that in theory, making some assumptions about authentication and security, the whole internet could be used as one giant storage network.
iSCSI的设计允许SCSI启动器和目标通过任意IP网络进行通信。这意味着,在理论上,如果对身份验证和安全性做出一些假设,整个互联网可以被用作一个巨大的存储网络。
However, there are many access and scaling problems that would come up when this is attempted.
但是,尝试此操作时会出现许多访问和扩展问题。
1. Most iSCSI targets may only be meant to be accessed by one or a few initiators. Discovering everything would be unnecessary.
1. 大多数iSCSI目标只能由一个或几个启动器访问。发现一切都是不必要的。
2. The initiator and target may be owned by separate entities, each with their own directory services, authentication, and other schemes. An iSCSI-aware proxy may be required to map between these things.
2. 启动器和目标可能由单独的实体拥有,每个实体都有自己的目录服务、身份验证和其他方案。可能需要一个支持iSCSI的代理在这些东西之间进行映射。
3. Many environments use non-routable IP addresses, such as the "10." network.
3. 许多环境使用不可路由的IP地址,如“10.”网络。
For these and other reasons, various types of firewalls [RFC2979] and proxies will be deployed for iSCSI, similar in nature to those already handling protocols such as HTTP and FTP.
出于这些和其他原因,将为iSCSI部署各种类型的防火墙[RFC2979]和代理,其性质类似于已经在处理HTTP和FTP等协议的防火墙和代理。
A port redirector is a stateless device that is not aware of iSCSI. It is used to do Network Address Translation (NAT), which can map IP addresses between routable and non-routable domains, as well as map TCP ports. While devices providing these capabilities can often filter based on IP addresses and TCP ports, they generally do not provide meaningful security, and are used instead to resolve internal network routing issues.
端口重定向器是不知道iSCSI的无状态设备。它用于网络地址转换(NAT),可以在可路由和不可路由的域之间映射IP地址,也可以映射TCP端口。虽然提供这些功能的设备通常可以基于IP地址和TCP端口进行过滤,但它们通常不提供有意义的安全性,而是用于解决内部网络路由问题。
Since it is entirely possible that these devices are used as routers and/or aggregators between a firewall and an iSCSI initiator or target, iSCSI connections must be operable through them.
由于这些设备完全可能用作防火墙与iSCSI启动器或目标之间的路由器和/或聚合器,因此iSCSI连接必须通过它们进行操作。
Effects on iSCSI:
对iSCSI的影响:
- iSCSI-level data integrity checks must not include information from the TCP or IP headers, as these may be changed in between the initiator and target.
- iSCSI级别的数据完整性检查不得包括来自TCP或IP头的信息,因为这些信息可能在启动器和目标之间更改。
- iSCSI messages that specify a particular initiator or target, such as login requests and third party requests, should specify the initiator or target in a location-independent manner. This is accomplished using the iSCSI Name.
- 指定特定启动器或目标(如登录请求和第三方请求)的iSCSI消息应以独立于位置的方式指定启动器或目标。这是使用iSCSI名称完成的。
- When an iSCSI discovery connection is to be used through a port redirector, a target will have to be configured to return a domain name instead of an IP address in a SendTargets response, since the port redirector will not be able to map the IP address(es) returned in the iSCSI message. It is a good practice to do this anyway.
- 当通过端口重定向器使用iSCSI发现连接时,必须将目标配置为在SendTargets响应中返回域名而不是IP地址,因为端口重定向器将无法映射iSCSI消息中返回的IP地址。无论如何,这是一个很好的实践。
A SOCKS server can be used to map TCP connections from one network domain to another. It is aware of the state of each TCP connection.
SOCKS服务器可用于将TCP连接从一个网络域映射到另一个网络域。它知道每个TCP连接的状态。
The SOCKS server provides authenticated firewall traversal for applications that are not firewall-aware. Conceptually, SOCKS is a "shim-layer" that exists between the application (i.e., iSCSI) and TCP.
SOCKS服务器为不了解防火墙的应用程序提供经过身份验证的防火墙遍历。从概念上讲,SOCKS是存在于应用程序(即iSCSI)和TCP之间的“垫片层”。
To use SOCKS, the iSCSI initiator must be modified to use the encapsulation routines in the SOCKS library. The initiator then opens up a TCP connection to the SOCKS server, typically on the canonical SOCKS port 1080. A sub-negotiation then occurs, during which the initiator is either authenticated or denied the connection request. If authenticated, the SOCKS server then opens a TCP connection to the iSCSI target using addressing information sent to it by the initiator in the SOCKS shim. The SOCKS server then forwards iSCSI commands, data, and responses between the iSCSI initiator and target.
要使用SOCKS,必须修改iSCSI启动器以使用SOCKS库中的封装例程。然后,启动器打开到SOCKS服务器的TCP连接,通常在规范SOCKS端口1080上。然后发生子协商,在此期间,发起方通过身份验证或拒绝连接请求。如果经过身份验证,SOCKS服务器将使用SOCKS垫片中启动器发送给它的寻址信息打开到iSCSI目标的TCP连接。然后,SOCKS服务器在iSCSI启动器和目标之间转发iSCSI命令、数据和响应。
Use of the SOCKS server requires special modifications to the iSCSI initiator. No modifications are required to the iSCSI target.
使用SOCKS服务器需要对iSCSI启动器进行特殊修改。无需对iSCSI目标进行任何修改。
As a SOCKS server can map most of the addresses and information contained within the IP and TCP headers, including sequence numbers, its effects on iSCSI are identical to those in the port redirector.
由于SOCKS服务器可以映射IP和TCP头中包含的大多数地址和信息,包括序列号,因此其对iSCSI的影响与端口重定向器中的效果相同。
This gateway presents logical targets (iSCSI Names) to the initiators, and maps them to SCSI targets as it chooses. The initiator sees this gateway as a real iSCSI target, and is unaware of any proxy or gateway behavior. The gateway may manufacture its own iSCSI Names, or map the iSCSI names using information provided by the physical SCSI devices. It is the responsibility of the gateway to
此网关向启动器提供逻辑目标(iSCSI名称),并根据选择将其映射到SCSI目标。启动器将此网关视为真正的iSCSI目标,并且不知道任何代理或网关行为。网关可以创建自己的iSCSI名称,或者使用物理SCSI设备提供的信息映射iSCSI名称。这是通往世界的门户的责任
ensure the uniqueness of any iSCSI name it manufactures. The gateway may have to account for multiple gateways having access to a single physical device. This type of gateway is used to present parallel SCSI, Fibre Channel, SSA, or other devices as iSCSI devices.
确保其生产的任何iSCSI名称的唯一性。网关可能必须考虑访问单个物理设备的多个网关。这种类型的网关用于将并行SCSI、光纤通道、SSA或其他设备表示为iSCSI设备。
Effects on iSCSI:
对iSCSI的影响:
- Since the initiator is unaware of any addresses beyond the gateway, the gateway's own address is for all practical purposes the real address of a target. Only the iSCSI Name needs to be passed. This is already done in iSCSI, so there are no further requirements to support SCSI gateways.
- 由于启动器不知道网关以外的任何地址,因此网关自身的地址在所有实际用途中都是目标的真实地址。只需要传递iSCSI名称。这已经在iSCSI中完成,因此不需要进一步支持SCSI网关。
An iSCSI proxy is a gateway that terminates the iSCSI protocol on both sides, rather than translate between iSCSI and some other transport. The proxy functionality is aware that both sides are iSCSI, and can take advantage of optimizations, such as the preservation of data integrity checks. Since an iSCSI initiator's discovery or configuration of a set of targets makes use of address-independent iSCSI names, iSCSI does not have the same proxy addressing problems as HTTP, which includes address information into its URLs. If a proxy is to provide services to an initiator on behalf of a target, the proxy allows the initiator to discover its address for the target, and the actual target device is discovered only by the proxy. Neither the initiator nor the iSCSI protocol needs to be aware of the existence of the proxy. Note that a SCSI gateway may also provide iSCSI proxy functionality when mapping targets between two iSCSI interfaces.
iSCSI代理是一个网关,它在双方终止iSCSI协议,而不是在iSCSI和其他传输之间进行转换。代理功能知道双方都是iSCSI,并且可以利用优化,例如保留数据完整性检查。由于iSCSI启动器对一组目标的发现或配置使用了与地址无关的iSCSI名称,因此iSCSI没有与HTTP相同的代理寻址问题,HTTP将地址信息包含在其URL中。如果代理将代表目标向发起方提供服务,则代理允许发起方发现其目标地址,而实际目标设备仅由代理发现。启动器和iSCSI协议都不需要知道代理的存在。请注意,在两个iSCSI接口之间映射目标时,SCSI网关还可以提供iSCSI代理功能。
Effects on iSCSI:
对iSCSI的影响:
- Same as a SCSI gateway. The only other effect is that iSCSI must separate data integrity checking on iSCSI headers and iSCSI data, to allow the data integrity check on the data to be propagated end-to-end through the proxy.
- 与SCSI网关相同。唯一的另一个影响是,iSCSI必须将iSCSI头和iSCSI数据上的数据完整性检查分开,以允许通过代理端到端传播数据上的数据完整性检查。
The stealth model would exist as an iSCSI-aware firewall, that is invisible to the initiator, but provides capabilities found in the iSCSI proxy.
隐身模型将作为iSCSI感知防火墙存在,该防火墙对启动器不可见,但提供iSCSI代理中的功能。
Effects on iSCSI:
对iSCSI的影响:
- Since this is invisible, there are no additional requirements on the iSCSI protocol for this one.
- 由于这是不可见的,因此对iSCSI协议没有其他要求。
This one is more difficult in some ways to implement, simply because it has to be part of a standard firewall product, rather than part of an iSCSI-type product.
这一点在某些方面更难实现,因为它必须是标准防火墙产品的一部分,而不是iSCSI类型产品的一部分。
Also note that this type of firewall is only effective in the outbound direction (allowing an initiator behind the firewall to connect to an outside target), unless the iSCSI target is located in a DMZ (De-Militarized Zone) [RFC3303]. It does not provide adequate security otherwise.
还请注意,这种类型的防火墙仅在出站方向有效(允许防火墙后面的启动器连接到外部目标),除非iSCSI目标位于DMZ(非军事化区域)[RFC3303]。否则,它不会提供足够的安全性。
Appendix C: iSCSI Names and Security Identifiers
附录C:iSCSI名称和安全标识符
This document has described the creation and use of iSCSI Node Names. There will be trusted environments where this is a sufficient form of identification. In these environments the iSCSI Target may have an Access Control List (ACL), which will contain a list of authorized entities that are permitted to access a restricted resource (in this case a Target Storage Controller). The iSCSI Target will then use that ACL to permit (or not) certain iSCSI Initiators to access the storage at the iSCSI Target Node. This form of ACL is used to prevent trusted initiators from making a mistake and connecting to the wrong storage controller.
本文档介绍了iSCSI节点名称的创建和使用。在可信环境中,这是一种充分的身份识别形式。在这些环境中,iSCSI目标可能具有访问控制列表(ACL),其中将包含允许访问受限资源的授权实体列表(在本例中为目标存储控制器)。然后,iSCSI目标将使用该ACL允许(或不允许)某些iSCSI启动器访问iSCSI目标节点上的存储。这种形式的ACL用于防止受信任的启动器出错并连接到错误的存储控制器。
It is also possible that the ACL and the iSCSI Initiator Node Name can be used in conjunction with the SCSI layer for the appropriate SCSI association of LUNs with the Initiator. The SCSI layer's use of the ACL will not be discussed further in this document.
ACL和iSCSI启动器节点名称也可能与SCSI层一起使用,以实现LUN与启动器的适当SCSI关联。本文档将不再进一步讨论SCSI层对ACL的使用。
There will be situations where the iSCSI Nodes exist in untrusted environments. That is, some iSCSI Initiator Nodes may be authorized to access an iSCSI Target Node, however, because of the untrusted environment, nodes on the network cannot be trusted to give the correct iSCSI Initiator Node Names.
在某些情况下,iSCSI节点存在于不受信任的环境中。也就是说,某些iSCSI启动器节点可能被授权访问iSCSI目标节点,但是,由于环境不受信任,无法信任网络上的节点提供正确的iSCSI启动器节点名称。
In untrusted environments an additional type of identification is required to assure the target that it really knows the identity of the requesting entity.
在不受信任的环境中,需要额外类型的标识,以确保目标确实知道请求实体的身份。
The authentication and authorization in the iSCSI layer is independent of anything that IPSec might handle, underneath or around the TCP layer. This means that the initiator node needs to pass some type of security related identification information (e.g., userid) to a security authentication process such as SRP, CHAP, Kerberos etc. (These authentication processes will not be discussed in this document.)
iSCSI层中的身份验证和授权独立于IPSec在TCP层下面或周围可能处理的任何内容。这意味着发起方节点需要将某种类型的安全相关标识信息(例如,用户ID)传递给安全身份验证过程,如SRP、CHAP、Kerberos等(本文档中将不讨论这些身份验证过程)
Upon the completion of the iSCSI security authentication, the installation knows "who" sent the request for access. The installation must then check to ensure that such a request, from the identified entity, is permitted/authorized. This form of Authorization is generally accomplished via an Access Control List (ACL) as described above. Using this authorization process, the iSCSI target will know that the entity is authorized to access the iSCSI Target Node.
完成iSCSI安全身份验证后,安装程序将知道“谁”发送了访问请求。然后,安装必须进行检查,以确保来自已识别实体的此类请求得到允许/授权。这种形式的授权通常通过如上所述的访问控制列表(ACL)实现。使用此授权过程,iSCSI目标将知道该实体已被授权访问iSCSI目标节点。
It may be possible for an installation to set a rule that the security identification information (e.g., UserID) be equal to the iSCSI Initiator Node Name. In that case, the ACL approach described above should be all the authorization that is needed.
安装可能会设置一个规则,使安全标识信息(例如用户ID)等于iSCSI启动器节点名称。在这种情况下,上述ACL方法应该是所需的所有授权。
If, however, the iSCSI Initiator Node Name is not used as the security identifier there is a need for more elaborate ACL functionality. This means that the target requires a mechanism to map the security identifier (e.g., UserID) information to the iSCSI Initiator Node Name. That is, the target must be sure that the entity requesting access is authorized to use the name, which was specified with the Login Keyword "InitiatorName=". For example, if security identifier 'Frank' is authorized to access the target via iSCSI InitiatorName=xxxx, but 'Frank' tries to access the target via iSCSI InitiatorName=yyyy, then this login should be rejected.
但是,如果iSCSI启动器节点名称未用作安全标识符,则需要更详细的ACL功能。这意味着目标需要一种机制将安全标识符(例如用户ID)信息映射到iSCSI启动器节点名称。也就是说,目标必须确保请求访问的实体被授权使用该名称,该名称是使用登录关键字“InitiatorName=”指定的。例如,如果安全标识符“Frank”被授权通过iSCSI InitiatorName=xxxx访问目标,但“Frank”尝试通过iSCSI InitiatorName=yyyy访问目标,则应拒绝此登录。
On the other hand, it is possible that 'Frank' is a roaming user (or a Storage Administrator) that "owns" several different systems, and thus, could be authorized to access the target via multiple different iSCSI initiators. In this case, the ACL needs to have the names of all the initiators through which 'Frank' can access the target.
另一方面,“Frank”可能是“拥有”多个不同系统的漫游用户(或存储管理员),因此有权通过多个不同的iSCSI启动器访问目标。在这种情况下,ACL需要具有“Frank”可以通过其访问目标的所有启动器的名称。
There may be other more elaborate ACL approaches, which can also be deployed to provide the installation/user with even more security with flexibility.
可能还有其他更复杂的ACL方法,也可以部署这些方法,为安装/用户提供更高的安全性和灵活性。
The above discussion is trying to inform the reader that, not only is there a need for access control dealing with iSCSI Initiator Node Names, but in certain iSCSI environments there might also be a need for other complementary security identifiers.
上面的讨论试图告诉读者,不仅需要对iSCSI启动器节点名称进行访问控制,而且在某些iSCSI环境中还可能需要其他补充的安全标识符。
Authors' Addresses
作者地址
Kaladhar Voruganti IBM Almaden Research Center 650 Harry Road San Jose, CA 95120
加利福尼亚州圣何塞哈里路650号卡拉达尔·沃鲁甘蒂IBM阿尔马登研究中心,邮编95120
EMail: kaladhar@us.ibm.com
EMail: kaladhar@us.ibm.com
Mark Bakke Cisco Systems, Inc. 6450 Wedgwood Road Maple Grove, MN 55311
Mark Bakke思科系统公司,地址:明尼苏达州枫树林韦奇伍德路6450号,邮编:55311
Phone: +1 763 398-1054 EMail: mbakke@cisco.com
Phone: +1 763 398-1054 EMail: mbakke@cisco.com
Jim Hafner IBM Almaden Research Center 650 Harry Road San Jose, CA 95120
吉姆·哈夫纳IBM阿尔马登研究中心加利福尼亚州圣何塞哈利路650号95120
Phone: +1 408 927-1892 EMail: hafner@almaden.ibm.com
Phone: +1 408 927-1892 EMail: hafner@almaden.ibm.com
John L. Hufferd IBM Storage Systems Group 5600 Cottle Road San Jose, CA 95193
John L.Hufferd IBM存储系统集团加利福尼亚州圣何塞科特尔路5600号,邮编95193
Phone: +1 408 256-0403 EMail: hufferd@us.ibm.com
Phone: +1 408 256-0403 EMail: hufferd@us.ibm.com
Marjorie Krueger Hewlett-Packard Corporation 8000 Foothills Blvd Roseville, CA 95747-5668, USA
美国加利福尼亚州罗斯维尔市山麓大道8000号马乔里·克鲁格·惠普公司,邮编95747-5668
Phone: +1 916 785-2656 EMail: marjorie_krueger@hp.com
Phone: +1 916 785-2656 EMail: marjorie_krueger@hp.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
版权所有(C)互联网协会(2004年)。本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。