Network Working Group M. Bakke Request for Comments: 4018 Cisco Category: Standards Track J. Hufferd K. Voruganti IBM M. Krueger HP T. Sperry Adaptec April 2005
Network Working Group M. Bakke Request for Comments: 4018 Cisco Category: Standards Track J. Hufferd K. Voruganti IBM M. Krueger HP T. Sperry Adaptec April 2005
Finding Internet Small Computer Systems Interface (iSCSI) Targets and Name Servers by Using Service Location Protocol version 2 (SLPv2)
使用服务位置协议版本2(SLPv2)查找Internet小型计算机系统接口(iSCSI)目标和名称服务器
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
Abstract
摘要
The iSCSI protocol provides a way for hosts to access SCSI devices over an IP network. This document defines the use of the Service Location Protocol (SLP) by iSCSI hosts, devices, and management services, along with the SLP service type templates that describe the services they provide.
iSCSI协议为主机提供了通过IP网络访问SCSI设备的方法。本文档定义了iSCSI主机、设备和管理服务对服务位置协议(SLP)的使用,以及描述它们提供的服务的SLP服务类型模板。
Table of Contents
目录
1. Introduction................................................ 2 2. Notation Conventions........................................ 2 3. Terminology................................................. 3 4. Using SLP for iSCSI Service Discovery....................... 4 5. iSCSI SLP Templates......................................... 11 6. Security Considerations..................................... 18 7. IANA Considerations......................................... 19 8. Summary..................................................... 19 9. Normative References........................................ 19 10. Informative References...................................... 20 11. Acknowledgements............................................ 21
1. Introduction................................................ 2 2. Notation Conventions........................................ 2 3. Terminology................................................. 3 4. Using SLP for iSCSI Service Discovery....................... 4 5. iSCSI SLP Templates......................................... 11 6. Security Considerations..................................... 18 7. IANA Considerations......................................... 19 8. Summary..................................................... 19 9. Normative References........................................ 19 10. Informative References...................................... 20 11. Acknowledgements............................................ 21
iSCSI [RFC3720] is a protocol used to transport SCSI [SAM2] commands, data, and status across an IP network. This protocol is connection-oriented and is currently defined over TCP. iSCSI uses a client-server relationship. The client end of the connection is an initiator, and it sends SCSI commands; the server end of the connection is called a target, and it receives and executes the commands.
iSCSI[RFC3720]是一种用于跨IP网络传输SCSI[SAM2]命令、数据和状态的协议。该协议是面向连接的,目前是通过TCP定义的。iSCSI使用客户机-服务器关系。连接的客户端是启动器,它发送SCSI命令;连接的服务器端称为目标,它接收并执行命令。
There are several methods an iSCSI initiator can use to find the targets to which it should connect. Two of these methods can be accomplished without the use of SLP:
iSCSI启动器可以使用多种方法查找其应连接的目标。其中两种方法可以在不使用SLP的情况下实现:
- Each target and its address can be statically configured on the initiator.
- 可以在启动器上静态配置每个目标及其地址。
- Each address providing targets can be configured on the initiator; iSCSI provides a mechanism by which the initiator can query the address for a list of targets.
- 可以在启动器上配置每个提供目标的地址;iSCSI提供了一种机制,通过该机制,启动器可以查询目标列表的地址。
The above methods are further defined in "iSCSI Naming and Discovery Requirements" [RFC3721].
上述方法在“iSCSI命名和发现要求”[RFC3721]中有进一步定义。
Each of the above methods requires a small amount of configuration to be done on each initiator. The ability to discover targets and name services without having to configure initiators is a desirable feature. The Service Location Protocol (SLP) [RFC2608] is an IETF standards track protocol providing several features that will simplify locating iSCSI services. This document describes how SLP can be used in iSCSI environments to discover targets, addresses providing targets, and storage management servers.
上述每种方法都需要在每个启动器上进行少量配置。无需配置启动器就可以发现目标并命名服务,这是一项理想的功能。服务定位协议(SLP)[RFC2608]是一种IETF标准跟踪协议,提供了一些功能,可以简化iSCSI服务的定位。本文档介绍了如何在iSCSI环境中使用SLP来发现目标、提供目标的地址以及存储管理服务器。
In this document, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中的说明进行解释。
Here are some definitions that may aid readers who are unfamiliar with SLP, SCSI, or iSCSI. Some of these definitions have been reproduced from [RFC2608] and "Finding an RSIP Server with SLP" [RFC3105].
以下是一些定义,可以帮助不熟悉SLP、SCSI或iSCSI的读者。其中一些定义已从[RFC2608]和“使用SLP查找RSIP服务器”[RFC3105]中复制。
User Agent (UA) A process working on the client's behalf to establish contact with some service. The UA retrieves service information from the Service Agents or Directory Agents.
用户代理(UA)代表客户与某些服务建立联系的过程。UA从服务代理或目录代理检索服务信息。
Service Agent (SA) A process working on behalf of one or more services to advertise the services and their capabilities.
Service Agent (SA) A process working on behalf of one or more services to advertise the services and their capabilities.translate error, please retry
Directory Agent (DA) A process that collects service advertisements. There can only be one DA present per given host.
目录代理(DA)收集服务广告的进程。每个给定主机只能有一个DA。
Scope A named set of services, typically making up a logical administrative group.
Scope A named set of services, typically making up a logical administrative group.translate error, please retry
Service Advertisement A URL, attributes, and a lifetime (indicating how long the advertisement is valid) providing service access information and capabilities description for a particular service.
服务广告提供特定服务的服务访问信息和功能描述的URL、属性和生存期(指示广告有效的时间)。
Initiator A logical entity, typically within a host, that sends SCSI commands to targets to be executed. An initiator is usually present in the form of a device driver.
启动器一种逻辑实体,通常位于主机内,向要执行的目标发送SCSI命令。启动器通常以设备驱动程序的形式存在。
Target A logical entity, typically within a storage controller or gateway that receives SCSI commands from an initiator and executes them. A target includes one or more Logical Units (LUs); each LU is a SCSI device, such as a disk or tape drive.
目标逻辑实体,通常位于从启动器接收SCSI命令并执行这些命令的存储控制器或网关内。目标包括一个或多个逻辑单元(LU);每个LU都是一个SCSI设备,如磁盘或磁带机。
iSCSI Name A UTF-8 character string that serves as a unique identifier for iSCSI initiators and targets. Its format and usage is further defined in [RFC3721].
iSCSI名称作为iSCSI启动器和目标的唯一标识符的UTF-8字符串。其格式和用法在[RFC3721]中有进一步定义。
iSCSI Client A logical entity, typically a host that includes at least one iSCSI Initiator.
iSCSI客户端—逻辑实体,通常是包含至少一个iSCSI启动器的主机。
iSCSI Server A logical entity, typically a storage controller or gateway that includes at least one iSCSI Target.
iSCSI服务器一个逻辑实体,通常是包含至少一个iSCSI目标的存储控制器或网关。
Storage Management Server An addressable entity that provides management services that benefit an iSCSI environment. "Storage management server" is used as a generic term and does not indicate a specific protocol or service.
Storage Management Server是一个可寻址的实体,提供有利于iSCSI环境的管理服务。“存储管理服务器”用作通用术语,并不表示特定的协议或服务。
Two entities are involved in iSCSI discovery. The end result is that an iSCSI initiator (e.g., a host) discovers iSCSI targets, usually provided by storage controllers or gateways.
iSCSI发现涉及两个实体。最终结果是iSCSI启动器(例如主机)发现iSCSI目标,通常由存储控制器或网关提供。
iSCSI targets are registered with SLP as a set of service URLs, one for each address on which the target may be accessed. Initiators discover these targets by using SLP service requests. Targets that do not directly support SLP or that are under the control of a management service may be registered by a proxy service agent as part of the software providing this service.
iSCSI目标作为一组服务URL在SLP中注册,每个URL对应一个可访问目标的地址。启动器通过使用SLP服务请求发现这些目标。代理服务代理可以将不直接支持SLP或受管理服务控制的目标注册为提供此服务的软件的一部分。
iSCSI entities may also use SLP to discover higher-level management services when these are needed.
iSCSI实体还可以在需要时使用SLP来发现更高级别的管理服务。
This section first describes the use of SLP for discovery of targets by iSCSI initiators, it then describes the use of SLP to discover storage management servers.
本节首先介绍使用SLP查找iSCSI启动器的目标,然后介绍使用SLP查找存储管理服务器。
This document assumes that SLPv2 will be used for discovering iSCSI-related services; no attempt is made to include support for SLPv1.
本文档假设SLPv2将用于发现iSCSI相关服务;未尝试包括对SLPv1的支持。
The following diagram shows the relationship among iSCSI clients, servers, initiators, and targets. An iSCSI client includes at least one iSCSI initiator, and an SLP user agent (UA). An iSCSI server includes at least one iSCSI target an SLP service agent (SA). Some entities, such as extended copy engines, include both initiators and targets. These include both an SA, for its targets to be discovered, and a UA, for its initiator(s) to discover other targets.
下图显示了iSCSI客户端、服务器、启动器和目标之间的关系。iSCSI客户端包括至少一个iSCSI启动器和一个SLP用户代理(UA)。iSCSI服务器包括至少一个iSCSI目标SLP服务代理(SA)。某些实体(如扩展复制引擎)包括启动器和目标。其中包括SA(用于发现其目标)和UA(用于发现其启动器的其他目标)。
+---------------------------------+ | iSCSI Client | | +-----------+ | | | iSCSI | | | | initiator | | | | "myhost" | | | +-----------+ | | | +--------------------------+------+ | iSCSI Driver | UA | +--------------------------+------+ | TCP/UDP/IP | +----------------+----------------+ | Interface 1 | Interface 2 | +----------------+----------------+ | | +------------+ | | +------------+ | SLP DA | | | | SLP DA | | (optional) |----+ IP Networks +----| (optional) | +------------+ | | +------------+ | | +-----------------+-----------------| | Interface 1 | Interface 2 | | 192.0.2.131 | 192.0.2.3 | +-----------------+-----------------+ | TCP/UDP/IP | +---------------------------+-------+ | iSCSI Driver | SA | +---------------------------+-------| | | | +--------+ +--------+ +---------+ | | | iSCSI | | iSCSI | | iSCSI | | | | target | | target | | target | | | | "one" | | "two" | | "three" | | | +--------+ +--------+ +---------+ | | iSCSI Server | +-----------------------------------+
+---------------------------------+ | iSCSI Client | | +-----------+ | | | iSCSI | | | | initiator | | | | "myhost" | | | +-----------+ | | | +--------------------------+------+ | iSCSI Driver | UA | +--------------------------+------+ | TCP/UDP/IP | +----------------+----------------+ | Interface 1 | Interface 2 | +----------------+----------------+ | | +------------+ | | +------------+ | SLP DA | | | | SLP DA | | (optional) |----+ IP Networks +----| (optional) | +------------+ | | +------------+ | | +-----------------+-----------------| | Interface 1 | Interface 2 | | 192.0.2.131 | 192.0.2.3 | +-----------------+-----------------+ | TCP/UDP/IP | +---------------------------+-------+ | iSCSI Driver | SA | +---------------------------+-------| | | | +--------+ +--------+ +---------+ | | | iSCSI | | iSCSI | | iSCSI | | | | target | | target | | target | | | | "one" | | "two" | | "three" | | | +--------+ +--------+ +---------+ | | iSCSI Server | +-----------------------------------+
In the above drawing, the iSCSI server has three iSCSI targets that the client could discover, named "one", "two" and "three". The iSCSI client has an iSCSI initiator with the name "myhost". The iSCSI client may use the initiator name in its SLP Service Requests as a filter to discover only targets that are configured to accept iSCSI connections from "myhost".
在上图中,iSCSI服务器有三个客户端可以发现的iSCSI目标,分别为“一”、“二”和“三”。iSCSI客户端有一个名为“myhost”的iSCSI启动器。iSCSI客户端可以在其SLP服务请求中使用启动器名称作为筛选器,以仅查找配置为接受来自“myhost”的iSCSI连接的目标。
Each iSCSI target and initiator has a unique name, called an iSCSI Name. This identifier is the same regardless of the network path (through adapter cards, networks, and interfaces on the storage
每个iSCSI目标和启动器都有一个唯一的名称,称为iSCSI名称。无论网络路径如何(通过存储设备上的适配器卡、网络和接口),此标识符都是相同的
device) over which the target is discovered and accessed. For this example, the iSCSI names "one", "two", and "three" are used for the targets; the initiator uses the name "myhost". An actual iSCSI name would incorporate more structure, including a naming authority, and is not described here.
设备),通过该设备可以发现和访问目标。对于本例,iSCSI名称“一”、“二”和“三”用于目标;启动器使用名称“myhost”。实际的iSCSI名称将包含更多的结构,包括命名机构,此处不作描述。
Each of the iSCSI targets in the drawing can appear at two addresses, since two network interfaces are present. Each target would have two service URLs, unless a single service URL included a DNS host name mapping to both addresses.
图形中的每个iSCSI目标都可以显示在两个地址,因为存在两个网络接口。每个目标将有两个服务URL,除非单个服务URL包含到两个地址的DNS主机名映射。
An iSCSI target URL consists of its fully qualified host name or IP address, the TCP port on which it is listening, and its iSCSI name. An iSCSI server must register each of its individual targets at each of its network addresses.
iSCSI目标URL由其完全限定的主机名或IP地址、正在侦听的TCP端口及其iSCSI名称组成。iSCSI服务器必须在其每个网络地址注册其各个目标。
The iSCSI server constructs a service advertisement of the type "service:iscsi:target" for each of the service URLs it wishes to register. The advertisement contains a lifetime, along with other attributes that are defined in the service template.
iSCSI服务器为其希望注册的每个服务URL构造“service:iSCSI:target”类型的服务公告。播发包含生存期以及服务模板中定义的其他属性。
If the server in the above drawing is listening at TCP port 3260 for both network addresses, the service URLs registered would be
如果上图中的服务器正在TCP端口3260侦听这两个网络地址,则将注册服务URL
- 192.0.2.131:3260/one
- 192.0.2.131:3260/一
- 192.0.2.131:3260/two
- 192.0.2.131:3260/2
- 192.0.2.131:3260/three
- 192.0.2.131:3260/3
- 192.0.2.3:3260/one
- 192.0.2.3:3260/个
- 192.0.2.3:3260/two
- 192.0.2.3:3260/2
- 192.0.2.3:3260/three
- 192.0.2.3:3260/三
The remainder of the discovery procedure is identical to that used by any client/server pair implementing SLP:
发现过程的其余部分与实现SLP的任何客户机/服务器对使用的过程相同:
1. If an SLP DA is found, the SA contacts the DA and registers the service advertisement. Whether or not one or more SLPv2 DAs are discovered, the SA maintains the advertisement itself and answers multicast UA queries directly.
1. 如果找到SLP DA,SA将联系DA并注册服务广告。无论是否发现一个或多个SLPv2 DAs,SA都会维护播发本身并直接回答多播UA查询。
2. When the iSCSI initiator requires contact information for an iSCSI target, the UA either contacts the DA by using unicast or the SA by using multicast. If a UA is configured with the address of the SA, it may avoid multicast and may contact an SA
2. 当iSCSI启动器需要iSCSI目标的联系信息时,UA或通过单播与DA联系,或通过多播与SA联系。如果UA配置了SA的地址,它可能会避免多播,并可能会联系SA
by using unicast. The UA includes a query based on the attributes to indicate the characteristics of the target(s) it requires.
通过使用单播。UA包括一个基于属性的查询,以指示其所需目标的特征。
3. Once the UA has the host name or address of the iSCSI server, as well as the port number and iSCSI Target Name, it can begin the normal iSCSI login to the target.
3. UA获得iSCSI服务器的主机名或地址以及端口号和iSCSI目标名称后,就可以开始正常的iSCSI登录到目标。
As information contained in the iSCSI target template may exceed common network datagram sizes, the SLP implementation for both UAs and SAs supporting this template MUST implement SLP over TCP.
由于iSCSI目标模板中包含的信息可能超过常见网络数据报的大小,因此支持此模板的UAs和SAs的SLP实现必须通过TCP实现SLP。
To be allowed access to an iSCSI target, an initiator must be authenticated. The initiator may be required by the target to produce one or more of the following credentials:
要允许访问iSCSI目标,必须对启动器进行身份验证。目标可能要求启动器生成以下一个或多个凭据:
- An iSCSI Initiator Name
- iSCSI启动器名称
- An IP address
- IP地址
- A CHAP, SRP, or Kerberos credential
- CHAP、SRP或Kerberos凭据
- Any combination of the above
- 上述各项的任意组合
Most iSCSI targets allow access to only one or two initiators. In the ideal discovery scenario, an initiator would send an SLP request and receive responses ONLY for targets to which the initiator is guaranteed a successful login. To achieve this goal, the iSCSI target template contains the following attributes, each of which allows a list of values:
大多数iSCSI目标只允许访问一个或两个启动器。在理想的发现场景中,启动器将发送SLP请求,并仅接收保证启动器成功登录的目标的响应。为实现此目标,iSCSI目标模板包含以下属性,每个属性都允许值列表:
1. auth-name: This attribute contains the list of initiator names allowed to access this target, or the value "any", indicating that no specific initiator name is required.
1. auth name:此属性包含允许访问此目标的启动器名称列表,或值“any”,表示不需要特定的启动器名称。
2. auth-addr: This attribute contains the list of host names and/or IP addresses that will be allowed access to this target, or the value "any", indicating that no specific address or host name is required. If a large number of addresses is to be allowed (perhaps a subnet), this attribute may contain the value "any".
2. auth addr:此属性包含允许访问此目标的主机名和/或IP地址列表,或值“any”,表示不需要特定的地址或主机名。如果允许大量地址(可能是子网),则此属性可能包含值“any”。
3. auth-cred: This attribute contains a list of "method/identifier" credentials that will be allowed access to the target, provided they can produce the correct password or other verifier during the login process. If no specific credentials are required, the value "any" is used.
3. auth cred:此属性包含允许访问目标的“方法/标识符”凭据列表,前提是这些凭据可以在登录过程中生成正确的密码或其他验证器。如果不需要特定凭据,则使用值“any”。
The list of valid method strings for auth-cred are defined in [RFC3720], section 11.1, "AuthMethod". The identifier used after the "/" is defined by the specific AuthMethod, also in [RFC3720]. Examples showing initiator searches based on auth-xxxx attributes are shown in the target-specific template section below.
[RFC3720]第11.1节“AuthMethod”中定义了auth cred的有效方法字符串列表。“/”后面使用的标识符由特定的AuthMethod定义,也在[RFC3720]中定义。下面的特定于目标的模板部分显示了基于auth xxxx属性的启动器搜索示例。
Also note that the auth-xxxx attributes are considered security policy information. If these attributes are distributed, IPsec MUST be implemented as specified in the Security Implementation section below.
还要注意,auth xxxx属性被视为安全策略信息。如果这些属性是分布式的,则必须按照下面的安全实现部分中的指定实现IPsec。
If a target is to allow access to multiple host identities, more than one combination of auth-xxxx attributes will have to be allowed. In some of these cases, it is not possible to express the entire set of valid combinations of auth-xxxx attributes within a single registered service URL. For example, if a target can be addressed by
如果目标允许访问多个主机标识,则必须允许多个auth xxxx属性的组合。在某些情况下,不可能在单个注册的服务URL中表示整个auth xxxx属性组合的有效集合。例如,如果目标可以通过
auth-name=myhost1 AND auth-cred=CHAP/user1 (identity1)
auth-name=myhost1 AND auth-cred=CHAP/user1 (identity1)
OR
或
auth-name-myhost2 AND auth-cred=CHAP/user2 (identity2)
auth-name-myhost2和auth-cred=CHAP/user2(标识2)
the above cannot be specified in a single registered service URL, since (auth-name=myhost1, auth-name=myhost2, auth-cred=CHAP/user1, auth-cred=CHAP/user2) would allow either auth-name to be used with either auth-cred. This necessitates the ability to register a target and address under more than one service URL; one for (identity1) and one for (identity2).
无法在单个已注册的服务URL中指定上述内容,因为(auth name=myhost1,auth name=myhost2,auth cred=CHAP/user1,auth cred=CHAP/user2)将允许任一auth name与任一auth cred一起使用。这需要能够在多个服务URL下注册目标和地址;一个用于(标识1)和一个用于(标识2)。
Because service URLs must be unique, (identity1) and (identity2) must each be registered under a unique service URL. For systems that support the configuration of multiple identities to access a target, the service URL must contain an additional, opaque string defining the identity. This appears after the iSCSI name in the URL string and is separated by a "/". Each registered (target-address, target-name, initiator-identity) tuple can then register a set of auth-xxxx attributes.
因为服务URL必须是唯一的,(identity1)和(identity2)必须分别在唯一的服务URL下注册。对于支持配置多个标识以访问目标的系统,服务URL必须包含定义标识的额外不透明字符串。它出现在URL字符串中iSCSI名称之后,并用“/”分隔。然后,每个已注册(目标地址、目标名称、启动器标识)元组可以注册一组auth xxxx属性。
In some networks, the use of multicast for discovery purposes is either unavailable or not allowed. These include public or service-provider networks that are placed between an iSCSI client and a server. These are probably most common between two iSCSI gateways, one at a storage service provider site, and one at a customer site.
在某些网络中,不可用或不允许使用多播进行发现。其中包括位于iSCSI客户端和服务器之间的公共或服务提供商网络。这些可能在两个iSCSI网关之间最常见,一个位于存储服务提供商站点,另一个位于客户站点。
In these networks, an initiator may allow the addresses of one or more SAs to be configured instead of or in addition to its DA configuration. The initiator would then make unicast SLP service requests directly to these SAs, without the use of multicast to discover them first.
在这些网络中,启动器可允许配置一个或多个SAs的地址,而不是其DA配置,或在其DA配置之外进行配置。然后,发起方将直接向这些SA发出单播SLP服务请求,而无需使用多播来首先发现它们。
This functionality is well within the scope of the current SLP protocol. The main consequence for implementors is that an initiator configured to make direct unicast requests to an SA will have to add this to the SLP API, if it is following the service location API defined in [RFC2614].
此功能完全在当前SLP协议的范围内。实施者的主要后果是,如果配置为向SA发出直接单播请求的启动器遵循[RFC2614]中定义的服务位置API,则必须将其添加到SLP API中。
Storage management servers can be built to manage and control access to targets in a variety of ways. They can provide extended services beyond discovery, which could include storage allocation and management. None of these services are defined here; the intent of this document is to allow these services to be discovered by both clients and servers, in addition to the target discovery already being performed.
可以构建存储管理服务器,以多种方式管理和控制对目标的访问。它们可以提供发现之外的扩展服务,包括存储分配和管理。这里没有定义这些服务;本文档的目的是允许客户机和服务器发现这些服务,以及已经执行的目标发现。
The following drawing shows an iSCSI client, an iSCSI server, and a storage management server. To simplify the drawing, the second IP network is not shown but is assumed to exist. The storage management server would use its own protocol (smsp) to provide capabilities to iSCSI clients and servers; these clients and servers can both use SLP to discover the storage management server.
下图显示了iSCSI客户端、iSCSI服务器和存储管理服务器。为了简化绘图,未显示第二个IP网络,但假定其存在。存储管理服务器将使用其自己的协议(smsp)为iSCSI客户端和服务器提供功能;这些客户端和服务器都可以使用SLP来发现存储管理服务器。
+---------------------------+ | iSCSI Client | | | | +-----------+ | | | iSCSI | | | | initiator | | | +-----------+ | | | +---------------+------+----+ +------------+ | iSCSI Driver | smsp | UA | | SLP DA | +---------------+------+----+ | | | TCP/UDP/IP | | (optional) | +---------------+------+----+ +------------+ | | | IP Network | ------------------------------------------ | | | | +---------------+-----------+ +---------------------+ | TCP/UDP/IP | | TCP/UDP/IP | +---------------+------+----+ +---------------------+ | iSCSI Driver | smsp | UA | | SA | smsp | +---------------+------+----+ +---------------------+ | | | | | +--------+ +--------+ | | storage mgmt server | | | iSCSI | | iSCSI | | | | | | target | | target | | +---------------------+ | | 1 | | 2 | | | +--------+ +--------+ | | | | iSCSI Server | +---------------------------+
+---------------------------+ | iSCSI Client | | | | +-----------+ | | | iSCSI | | | | initiator | | | +-----------+ | | | +---------------+------+----+ +------------+ | iSCSI Driver | smsp | UA | | SLP DA | +---------------+------+----+ | | | TCP/UDP/IP | | (optional) | +---------------+------+----+ +------------+ | | | IP Network | ------------------------------------------ | | | | +---------------+-----------+ +---------------------+ | TCP/UDP/IP | | TCP/UDP/IP | +---------------+------+----+ +---------------------+ | iSCSI Driver | smsp | UA | | SA | smsp | +---------------+------+----+ +---------------------+ | | | | | +--------+ +--------+ | | storage mgmt server | | | iSCSI | | iSCSI | | | | | | target | | target | | +---------------------+ | | 1 | | 2 | | | +--------+ +--------+ | | | | iSCSI Server | +---------------------------+
Note the difference between the storage management server model and the previously defined target discovery model. When target discovery was used, the iSCSI Server implemented an SA, to be discovered by the initiator's UA. In the storage management server model, the iSCSI clients and servers both implement UAs, and the management server implements the SA.
请注意storage management server模型与以前定义的目标发现模型之间的差异。使用目标发现时,iSCSI服务器实现了一个SA,由启动器的UA发现。在存储管理服务器模型中,iSCSI客户端和服务器都实现了UAs,而管理服务器实现了SA。
A storage management server's URL contains the domain name or IP address and TCP or UDP port number. No other information is required.
存储管理服务器的URL包含域名或IP地址以及TCP或UDP端口号。不需要其他信息。
The storage management server constructs a service advertisement of the type "service:iscsi:sms" for each of the addresses at which it appears. The advertisement contains the URL and a lifetime, along with other attributes that are defined in the service template.
存储管理服务器为其出现的每个地址构造一个类型为“service:iscsi:sms”的服务公告。广告包含URL和生存期,以及服务模板中定义的其他属性。
The remainder of the discovery procedure is identical to that used to discover iSCSI targets, except that both initiators and targets would normally be "clients" of the storage management service.
发现过程的其余部分与用于发现iSCSI目标的过程相同,只是启动器和目标通常都是存储管理服务的“客户端”。
Targets that support a storage management service implement a UA in addition to the SA. A target may alternatively just implement the UA and allow the storage management service to advertise its targets appropriately by providing an SA and registering the appropriate service:iscsi:target registrations on the target's behalf: The target device would not have to advertise its own targets. This has no impact on the initiator.
支持存储管理服务的目标除了SA之外还实施UA。或者,目标可以只实施UA,并允许存储管理服务通过提供SA和注册适当的服务来适当地公布其目标:iscsi:代表目标的目标注册:目标设备不必公布其自己的目标。这对启动器没有影响。
This allows the initiators' discovery of targets to be completely interoperable regardless of which storage management service is used, or whether one is used at all, or whether the target registrations are provided directly by the target or by the management service.
这使得启动器对目标的发现可以完全互操作,而不管使用的是哪种存储管理服务,也不管是否使用了存储管理服务,也不管目标注册是由目标直接提供还是由管理服务提供。
SLP allows internationalized strings to be registered and retrieved. Attributes in the template that are not marked with an 'L' (literal) will be registered in a localized manner. An "en" (English) localization MUST be registered, and others MAY be registered.
SLP允许注册和检索国际化字符串。模板中未标记为“L”(文字)的属性将以本地化方式注册。必须注册“en”(英语)本地化,其他本地化也可以注册。
Attributes that include non-ASCII characters will be encoded by using UTF-8, as discussed in [RFC3722] and [RFC3491].
包含非ASCII字符的属性将使用UTF-8编码,如[RFC3722]和[RFC3491]中所述。
Three templates are provided: an iSCSI target template, a management service template, and an abstract template to encapsulate the two.
提供了三个模板:iSCSI目标模板、管理服务模板和封装这两个模板的抽象模板。
This template defines the abstract service "service:iscsi". It is used as a top-level service to encapsulate all other iSCSI-related services.
此模板定义抽象服务“服务:iscsi”。它用作顶级服务,用于封装所有其他与iSCSI相关的服务。
Name of submitter: Mark Bakke Language of service template: en Security Considerations: See section 6.
提交人名称:Mark Bakke服务语言模板:en安全注意事项:见第6节。
Template Text: -------------------------template begins here----------------------- template-type=iscsi template-version=1.0
Template Text: -------------------------template begins here----------------------- template-type=iscsi template-version=1.0
template-description=
模板描述=
This is an abstract service type. The purpose of the iscsi service type is to encompass all of the services used to support the iSCSI protocol.
这是一种抽象服务类型。iscsi服务类型的目的是包含用于支持iscsi协议的所有服务。
template-url-syntax= url-path= ; Depends on the concrete service type.
模板url语法=url路径=;取决于具体的服务类型。
--------------------------template ends here------------------------
--------------------------template ends here------------------------
This template defines the service "service:iscsi:target". An entity containing iSCSI targets that wishes them discovered via SLP would register each of them, with each of their addresses, as this service type.
此模板定义服务“service:iscsi:target”。包含希望通过SLP发现的iSCSI目标的实体将使用每个目标的地址将其注册为此服务类型。
Initiators (and perhaps management services) wishing to discover targets in this way will generally use one of the following queries:
希望以这种方式发现目标的启动器(可能还有管理服务)通常会使用以下查询之一:
1. Find a specific target, given its iSCSI Target Name:
1. 查找特定目标,给定其iSCSI目标名称:
Service: service:iscsi:target Scope: initiator-scope-list Query: (iscsi-name=iqn.2001-04.com.example:sn.456)
Service: service:iscsi:target Scope: initiator-scope-list Query: (iscsi-name=iqn.2001-04.com.example:sn.456)
2. Find all of the iSCSI Target Names that may allow access to a given initiator:
2. 查找允许访问给定启动器的所有iSCSI目标名称:
Service: service:iscsi:target Scope: initiator-scope-list Query: (auth-name=iqn.1998-03.com.example:hostid.045A7B)
Service: service:iscsi:target Scope: initiator-scope-list Query: (auth-name=iqn.1998-03.com.example:hostid.045A7B)
3. Find all of the iSCSI Target Names that may allow access to any initiator:
3. 查找允许访问任何启动器的所有iSCSI目标名称:
Service: service:iscsi:target Scope: initiator-scope-list Query: (auth-name=any)
Service: service:iscsi:target Scope: initiator-scope-list Query: (auth-name=any)
4. Find all of the iSCSI Target Names that may allow access to this initiator, or that will allow access to any initiator:
4. 查找允许访问此启动器或允许访问任何启动器的所有iSCSI目标名称:
Service: service:iscsi:target Scope: initiator-scope-list Query: &(auth-name=iqn.1998-03.com.example:hostid.045A7B) (auth-name=any)
Service: service:iscsi:target Scope: initiator-scope-list Query: &(auth-name=iqn.1998-03.com.example:hostid.045A7B) (auth-name=any)
5. Find all of the iSCSI Target Names that may allow access to a given CHAP user name:
5. 查找允许访问给定CHAP用户名的所有iSCSI目标名称:
Service: service:iscsi:target Scope: initiator-scope-list Query: (auth-cred=chap/my-user-name)
Service: service:iscsi:target Scope: initiator-scope-list Query: (auth-cred=chap/my-user-name)
6. Find all of the iSCSI Target Names that may allow access to a given initiator that supports two IP addresses, a CHAP credential and SRP credential, and an initiator name:
6. 查找允许访问支持两个IP地址、CHAP凭据和SRP凭据以及启动器名称的给定启动器的所有iSCSI目标名称:
Service: service:iscsi:target Scope: initiator-scope-list Query: &(|(auth-name=iqn.com.example:host47)(auth-name=any) |(auth-addr=192.0.2.3)(auth-addr=192.0.2.131)(auth-addr=any) |(auth-cred=chap/foo)(auth-cred=srp/my-user-name) (auth-cred=any))
Service: service:iscsi:target Scope: initiator-scope-list Query: &(|(auth-name=iqn.com.example:host47)(auth-name=any) |(auth-addr=192.0.2.3)(auth-addr=192.0.2.131)(auth-addr=any) |(auth-cred=chap/foo)(auth-cred=srp/my-user-name) (auth-cred=any))
7. Find the iSCSI Target Names from which the given initiator is allowed to boot:
7. 查找允许启动给定启动器的iSCSI目标名称:
Service: service:iscsi:target Scope: initiator-scope-list Query: (boot-list=iqn.1998-03.com.example:hostid.045A7B)
Service: service:iscsi:target Scope: initiator-scope-list Query: (boot-list=iqn.1998-03.com.example:hostid.045A7B)
8. In addition, a management service may wish to discover all targets:
8. 此外,管理服务可能希望发现所有目标:
Service: service:iscsi:target Scope: management-server-scope-list Query: <empty-string>
Service: service:iscsi:target Scope: management-server-scope-list Query: <empty-string>
More details on booting from an iSCSI target are defined in [BOOT].
有关从iSCSI目标引导的更多详细信息,请参见[BOOT]。
Name of submitter: Mark Bakke Language of service template: en Security Considerations: see section 6.
提交人名称:Mark Bakke服务语言模板:en安全注意事项:见第6节。
Template Text: -------------------------template begins here----------------------- template-type=iscsi:target template-version=1.0
Template Text: -------------------------template begins here----------------------- template-type=iscsi:target template-version=1.0
template-description=
模板描述=
This is a concrete service type. The iscsi:target service type is used to register individual target addresses to be discovered by others. UAs will generally search for these by including one of
这是一种具体的服务类型。iscsi:target服务类型用于注册要由其他人发现的单个目标地址。UAs通常会通过包括以下内容之一来搜索这些内容:
the following:
以下是:
- the iSCSI target name - iSCSI initiator identifiers (iSCSI name, credential, IP address) - the service URL
- iSCSI目标名称-iSCSI启动器标识符(iSCSI名称、凭据、IP地址)-服务URL
template-url-syntax= url-path = hostport "/" iscsi-name [ "/" identity ] hostport = host [ ":" port ] host = hostname / hostnumber ; DNS name or IP address hostname = *( domainlabel "." ) toplabel alphanum = ALPHA / DIGIT domainlabel = alphanum / alphanum *[alphanum / "-"] alphanum toplabel = ALPHA / ALPHA *[ alphanum / "-" ] alphanum hostnumber = ipv4-number / ipv6-addr ; IPv4 or IPv6 address ipv4-number = 1*3DIGIT 3("." 1*3DIGIT) ipv6-addr = "[" ipv6-number "]" ipv6-number = 6( h16 ":" ) ls32 / "::" 5( h16 ":" ) ls32 / [ h16 ] "::" 4( h16 ":" ) ls32 / [ *1( h16 ":" ) h16 ] "::" 3( h16 ":" ) ls32 / [ *2( h16 ":" ) h16 ] "::" 2( h16 ":" ) ls32 / [ *3( h16 ":" ) h16 ] "::" h16 ":" ls32 / [ *4( h16 ":" ) h16 ] "::" ls32 / [ *5( h16 ":" ) h16 ] "::" h16 / [ *6( h16 ":" ) h16 ] "::" ls32 = ( h16 ":" h16 ) / ipv4-number ; least-significant 32 bits of ipv6 address h16 = 1*4HEXDIG port = 1*DIGIT iscsi-name = iscsi-char ; iSCSI target name identity = iscsi-char ; optional identity string iscsi-char = ALPHA / DIGIT / escaped / ":" / "-" / "." ; Intended to allow UTF-8 encoded strings escaped = 1*("\" HEXDIG HEXDIG) ; ; The iscsi-name part of the URL is required and must be the iSCSI ; name of the target being registered. ; A device representing multiple targets must individually ; register each target/address combination with SLP. ; The identity part of the URL is optional, and is used to ; indicate an identity that is allowed to access this target. ; ; Example (split into two lines for clarity): ; service:iscsi:target://192.0.2.3:3260/ ; iqn.2001-04.com.example:sn.45678 ; ; IPv6 addresses are also supported; they use the notation
template-url-syntax= url-path = hostport "/" iscsi-name [ "/" identity ] hostport = host [ ":" port ] host = hostname / hostnumber ; DNS name or IP address hostname = *( domainlabel "." ) toplabel alphanum = ALPHA / DIGIT domainlabel = alphanum / alphanum *[alphanum / "-"] alphanum toplabel = ALPHA / ALPHA *[ alphanum / "-" ] alphanum hostnumber = ipv4-number / ipv6-addr ; IPv4 or IPv6 address ipv4-number = 1*3DIGIT 3("." 1*3DIGIT) ipv6-addr = "[" ipv6-number "]" ipv6-number = 6( h16 ":" ) ls32 / "::" 5( h16 ":" ) ls32 / [ h16 ] "::" 4( h16 ":" ) ls32 / [ *1( h16 ":" ) h16 ] "::" 3( h16 ":" ) ls32 / [ *2( h16 ":" ) h16 ] "::" 2( h16 ":" ) ls32 / [ *3( h16 ":" ) h16 ] "::" h16 ":" ls32 / [ *4( h16 ":" ) h16 ] "::" ls32 / [ *5( h16 ":" ) h16 ] "::" h16 / [ *6( h16 ":" ) h16 ] "::" ls32 = ( h16 ":" h16 ) / ipv4-number ; least-significant 32 bits of ipv6 address h16 = 1*4HEXDIG port = 1*DIGIT iscsi-name = iscsi-char ; iSCSI target name identity = iscsi-char ; optional identity string iscsi-char = ALPHA / DIGIT / escaped / ":" / "-" / "." ; Intended to allow UTF-8 encoded strings escaped = 1*("\" HEXDIG HEXDIG) ; ; The iscsi-name part of the URL is required and must be the iSCSI ; name of the target being registered. ; A device representing multiple targets must individually ; register each target/address combination with SLP. ; The identity part of the URL is optional, and is used to ; indicate an identity that is allowed to access this target. ; ; Example (split into two lines for clarity): ; service:iscsi:target://192.0.2.3:3260/ ; iqn.2001-04.com.example:sn.45678 ; ; IPv6 addresses are also supported; they use the notation
; specified above and in [RFC3513], section 2.2
; 上文和[RFC3513]第2.2节规定
iscsi-name = string # The iSCSI Name of this target. # This must match the iscsi-name in the url-path.
iscsi名称=字符串#此目标的iscsi名称。#这必须与url路径中的iscsi名称匹配。
portal-group = integer # The iSCSI portal group tag for this address. Addresses sharing # the same iscsi-name and portal-group tag can be used within the # same iSCSI session. Portal groups are described in [RFC3720].
门户组=整数#此地址的iSCSI门户组标记。共享#相同iscsi名称和门户组标记的地址可在#相同iscsi会话中使用。[RFC3720]中描述了入口组。
transports = string M L tcp # This is a list of transport protocols that the registered # entity supports. iSCSI is currently supported over TCP, # but it is anticipated that it could be supported over other # transports, such as SCTP, in the future. tcp
transports=string M L tcp#这是注册实体支持的传输协议列表。iSCSI目前通过TCP受支持,但预计将来可以通过其他传输(如SCTP)受支持。tcp
mgmt-entity = string O # The fully qualified domain name, or IP address in dotted-decimal # notation, of the management interface of the entity containing # this target. #
mgmt entity=字符串O#包含#此目标的实体的管理接口的完全限定域名或以点十进制#符号表示的IP地址#
alias = string O # The alias string contains a descriptive name of the target.
别名=字符串O#别名字符串包含目标的描述性名称。
auth-name = string M X # A list of iSCSI Initiator Names that can access this target. # Normal iSCSI names will be 80 characters or less; max length # is 255. # Normally, only one or a few values will be in the list. # Using the equivalence search on this will evaluate to "true" # if any one of the items in this list matches the query. # If this list contains the default name "any", any initiator # is allowed to access this target, provided it matches # the other auth-xxx attributes. # # This attribute contains security policy information. If this # attribute is distributed via an Attribute Reply message, # IPsec MUST be implemented.
auth name=string M X#可以访问此目标的iSCSI启动器名称的列表。#普通iSCSI名称将不超过80个字符;最大长度为255通常,列表中只有一个或几个值如果此列表中的任何一项与查询匹配,则在此列表上使用等价搜索将计算为“true”如果此列表包含默认名称“any”,则允许任何启动器访问此目标,前提是它与其他auth xxx属性匹配此属性包含安全策略信息。如果此#属性通过属性回复消息分发,则必须实现#IPsec。
auth-addr = string M X # A list of initiator IP addresses (or host names) which will # be allowed access to this target. If this list contains the # default name "any", any IP address is allowed access to this # target, provided it matches the other auth-xxx attributes.
auth addr=string M X#允许访问此目标的启动器IP地址(或主机名)列表。如果此列表包含#默认名称“any”,则允许任何IP地址访问此#目标,前提是它与其他auth xxx属性匹配。
# # This attribute contains security policy information. If this # attribute is distributed via an Attribute Reply message, # IPsec MUST be implemented.
##此属性包含安全策略信息。如果此#属性通过属性回复消息分发,则必须实现#IPsec。
auth-cred = string M X # A list of credentials which will be allowed access to the target # (provided they can provide the correct password or other # authenticator). Entries in this list are of the form # "method/identifier", where the currently defined methods are # "chap" and "srp", both of which take usernames as their # identifiers. # # This attribute contains security policy information. If this # attribute is distributed via an Attribute Reply message, # IPsec MUST be implemented.
auth cred=string M X#允许访问目标#的凭据列表(前提是它们可以提供正确的密码或其他#身份验证器)。此列表中的条目的形式为#“方法/标识符”,其中当前定义的方法为#“chap”和“srp”,这两种方法都将用户名作为其#标识符此属性包含安全策略信息。如果此#属性通过属性回复消息分发,则必须实现#IPsec。
boot-list = string M O # A list of iSCSI Initiator Names that can boot from this target. # This list works precisely like the auth-name attribute. A name # appearing in this list must either appear in the access-list, # or the access-list must contain the initiator name "iscsi". # Otherwise, an initiator will be unable to find its boot # target. If boot-list contains the name "iscsi", any host can boot # from it, but I am not sure if this is useful to anyone. If this # attribute is not registered, this target is not "bootable". # # Note that the LUN the host boots from is not specified here; a # host will generally attempt to boot from LUN 0. # # It is quite possible that other attributes will need to be defined # here for booting as well. # # This attribute contains security policy information. If this # attribute is distributed via an Attribute Reply message, # IPsec MUST be implemented.
boot list=string M O#可以从此目标启动的iSCSI启动器名称的列表。#此列表的工作方式与auth name属性完全相同。此列表中出现的名称必须出现在访问列表中,或者访问列表必须包含启动器名称“iscsi”否则,启动器将无法找到其启动目标。如果启动列表包含名称“iscsi”,任何主机都可以从中启动,但我不确定这是否对任何人有用。如果未注册此#属性,则此目标不“可引导”。#请注意,此处未指定主机从中引导的LUN;主机通常会尝试从LUN 0启动很有可能需要在这里定义其他属性,以便引导此属性包含安全策略信息。如果此#属性通过属性回复消息分发,则必须实现#IPsec。
--------------------------template ends here------------------------
--------------------------template ends here------------------------
This template defines the service "service:iscsi:sms". An entity supporting one or more iSCSI management service protocols may register itself with SLP as this service type. iSCSI clients and servers wishing to discover storage management services using SLP will usually search for them by the protocol(s) they support:
此模板定义服务“服务:iscsi:sms”。支持一个或多个iSCSI管理服务协议的实体可以向SLP注册此服务类型。希望使用SLP发现存储管理服务的iSCSI客户端和服务器通常会按照其支持的协议进行搜索:
Service: service:iscsi:sms Scope: initiator-scope-list Query: (protocols=isns)
Service: service:iscsi:sms Scope: initiator-scope-list Query: (protocols=isns)
Name of submitter: Mark Bakke Language of service template: en Security Considerations: see section 6.
提交人名称:Mark Bakke服务语言模板:en安全注意事项:见第6节。
Template Text: -------------------------template begins here----------------------- template-type=iscsi:sms template-version=1.0
Template Text: -------------------------template begins here----------------------- template-type=iscsi:sms template-version=1.0
template-description= This is a concrete service type. The iscsi:sms service type provides the capability for entities supporting iSCSI to discover appropriate management services.
template description=这是一种具体的服务类型。iscsi:sms服务类型为支持iscsi的实体提供了发现适当管理服务的能力。
template-url-syntax= url-path = ; The URL of the management service [RFC2608].
模板url语法=url路径=;管理服务的URL[RFC2608]。
protocols = string M # The list of protocols supported by this name service. This # list may be expanded in the future. There is no default. # # "isns" - This management service supports the use of the iSNS # protocol for access management, health monitoring, and # discovery management services. This protocol is defined # in [ISNS]. isns
protocols=string M#此名称服务支持的协议列表。这个名单将来可能会扩大。没有默认设置“isns”-此管理服务支持使用isns协议进行访问管理、运行状况监视和发现管理服务。此协议在[ISNS]中定义。isns
transports = string M L tcp # This is a list of transport protocols that the registered # entity supports. tcp, udp
transports=string M L tcp#这是注册实体支持的传输协议列表。tcp,udp
server-priority = integer # The priority a client should give this server, when choosing # between multiple servers with the same protocol type. # When multiple servers are discovered for a given protocol type, # this parameter indicates their relative precedence. Server # precedence is protocol-specific; for some protocols, the primary # server may have the highest server-priority value, while for
服务器优先级=整数#在具有相同协议类型的多个服务器之间选择时,客户端应给予此服务器的优先级。#当为给定的协议类型发现多个服务器时,#此参数表示它们的相对优先级。服务器的优先级是特定于协议的;对于某些协议,主服务器可能具有最高的服务器优先级值,而对于
# others it may have the lowest. For example, with iSNS, the primary # server has the lowest value (value 0).
#其他的可能最低。例如,对于iSNS,主服务器具有最低的值(值0)。
--------------------------template ends here------------------------
--------------------------template ends here------------------------
The SLPv2 security model as specified in [RFC2608] does not provide confidentiality but does provide an authentication mechanism for UAs to ensure that service advertisements only come from trusted SAs, with the exception that it does not provide a mechanism to authenticate "zero-result responses". See [RFC3723] for a discussion of the SLPv2 [RFC2608] security model.
[RFC2608]中规定的SLPv2安全模型不提供机密性,但为UAs提供了一种身份验证机制,以确保服务广告仅来自受信任的SA,但不提供对“零结果响应”进行身份验证的机制。有关SLPv2[RFC2608]安全模型的讨论,请参见[RFC3723]。
Once a target or management server is discovered, authentication and authorization are handled by the iSCSI protocol, or by the management server's protocol. It is the responsibility of the providers of these services to ensure that an inappropriately advertised or discovered service does not compromise their security.
一旦发现目标服务器或管理服务器,身份验证和授权将通过iSCSI协议或管理服务器的协议进行处理。这些服务的提供商有责任确保不适当的广告或发现服务不会损害其安全性。
When no security is used for SLPv2, there is a risk of distribution of false discovery information. The primary countermeasure for this risk is authentication. When this risk is a significant concern, IPsec SAs and iSCSI in-band authentication SHOULD be used for iSCSI traffic subject to this risk to ensure that iSCSI traffic only flows between endpoints that have participated in IKE authentication and iSCSI in-band authentication. For example, if an attacker distributes discovery information falsely claiming that it is an iSCSI target, it will lack the secret information necessary to complete IKE authentication or iSCSI in-band authentication successfully and therefore will be prevented from falsely sending or receiving iSCSI traffic.
当SLPv2没有使用安全性时,存在分发错误发现信息的风险。针对这种风险的主要对策是身份验证。当此风险是一个重大问题时,应将IPsec SAs和iSCSI带内身份验证用于存在此风险的iSCSI流量,以确保iSCSI流量仅在参与IKE身份验证和iSCSI带内身份验证的端点之间流动。例如,如果攻击者错误地分发发现信息,声称它是iSCSI目标,则它将缺少成功完成IKE身份验证或iSCSI带内身份验证所需的机密信息,因此将防止错误地发送或接收iSCSI通信。
A risk remains of a denial of service attack based on repeated use of false discovery information that will cause initiation of IKE negotiation. The countermeasures for this are administrative configuration of each iSCSI Target to limit the peers it is willing to communicate with (i.e., by IP address range and/or DNS domain), and maintenance of a negative authentication cache to avoid repeatedly contacting an iSCSI Target that fails to authenticate. These three measures (i.e., IP address range limits, DNS domain limits, negative authentication cache) MUST be implemented.
仍然存在基于重复使用虚假发现信息的拒绝服务攻击的风险,这将导致IKE协商的启动。解决此问题的对策是对每个iSCSI目标进行管理配置,以限制其愿意与之通信的对等方(即,通过IP地址范围和/或DNS域),并维护反向身份验证缓存,以避免重复接触无法进行身份验证的iSCSI目标。必须实施这三项措施(即IP地址范围限制、DNS域限制、负面身份验证缓存)。
The auth-name, auth-addr, auth-cred, and boot-list attributes comprise security policy information. When these are distributed, IPsec MUST be implemented.
auth name、auth addr、auth cred和引导列表属性包含安全策略信息。当这些是分布式的时,必须实现IPsec。
Security for SLPv2 in an IP storage environment is specified in [RFC3723]. IPsec is mandatory-to-implement for IPS clients and servers. Thus, all IP storage clients, including those invoking SLP, can be assumed to support IPsec. SLP servers, however, cannot be assumed to implement IPsec, since there is no such requirement in standard SLP. In particular, SLP Directory Agents (DA) may be running on machines other than those running the IPS protocols.
[RFC3723]中规定了IP存储环境中SLPv2的安全性。IPsec是IPS客户端和服务器必须实现的。因此,可以假定所有IP存储客户端(包括调用SLP的客户端)都支持IPsec。然而,不能假设SLP服务器实现IPsec,因为标准SLP中没有这样的要求。特别是,SLP目录代理(DA)可能在运行IPS协议的机器以外的机器上运行。
IPsec SHOULD be implemented for SLPv2 as specified in [RFC3723]; this includes ESP with a non-null transform to provide both authentication and confidentiality.
应按照[RFC3723]中的规定为SLPv2实施IPsec;这包括带有非空转换的ESP,以提供身份验证和机密性。
When SLPv2 can be used to distribute auth-name, auth-addr, auth-cred, and boot-list information (see section 5.2 above), IPsec MUST be implemented, as these items are considered sensitive security policy information. If IPsec is not implemented, auth-name, auth-addr, auth-cred, and boot-list information MUST NOT be distributed via SLPv2 and MUST NOT be used if discovered via SLPv2.
当SLPv2可用于分发身份验证名称、身份验证地址、身份验证凭据和启动列表信息(请参见上文第5.2节)时,必须实施IPsec,因为这些项被视为敏感的安全策略信息。如果未实现IPsec,则身份验证名称、身份验证地址、身份验证凭据和启动列表信息不得通过SLPv2分发,如果通过SLPv2发现,则不得使用。
Because the IP storage services have their own authentication capabilities when located, SLPv2 authentication is OPTIONAL to implement and use (as discussed in more detail in [RFC3723]).
由于IP存储服务在定位时具有自己的身份验证功能,因此SLPv2身份验证是可选的(如[RFC3723]中更详细的讨论)。
This document describes three SLP Templates. They have been reviewed and approved by the IESG and registered in the IANA's "SVRLOC Templates" registry. This process is described in the IANA Considerations section of [RFC2609].
本文档介绍了三个SLP模板。它们已由IESG审查和批准,并在IANA的“SVRLOC模板”注册处注册。[RFC2609]的IANA注意事项部分描述了该过程。
This document describes how SLP can be used by iSCSI initiators to find iSCSI targets and storage management servers. Service type templates for iSCSI targets and storage management servers are presented.
本文档介绍iSCSI启动器如何使用SLP查找iSCSI目标和存储管理服务器。介绍了iSCSI目标和存储管理服务器的服务类型模板。
[RFC2608] Guttman, E., Perkins, C., Veizades, J., and M. Day, "Service Location Protocol, Version 2", RFC 2608, June 1999.
[RFC2608]Guttman,E.,Perkins,C.,Veizades,J.,和M.Day,“服务位置协议,版本2”,RFC 26081999年6月。
[RFC2609] Guttman, E., Perkins, C., and J. Kempf, "Service Templates and Service: Schemes", RFC 2609, June 1999.
[RFC2609]Guttman,E.,Perkins,C.,和J.Kempf,“服务模板和服务:方案”,RFC 26091999年6月。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC3491] Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep Profile for Internationalized Domain Names (IDN)", RFC 3491, March 2003.
[RFC3491]Hoffman,P.和M.Blanchet,“Nameprep:国际化域名(IDN)的Stringprep配置文件”,RFC 3491,2003年3月。
[RFC3513] Hinden, R. and S. Deering, "Internet Protocol Version 6 (IPv6) Addressing Architecture", RFC 3513, April 2003.
[RFC3513]Hinden,R.和S.Deering,“互联网协议版本6(IPv6)寻址体系结构”,RFC 3513,2003年4月。
[RFC3720] Satran, J., Meth, K., Sapuntzakis, C., Chadalapaka, M., and E. Zeidner, "Internet Small Computer Systems Interface (iSCSI)", RFC 3720, April 2004.
[RFC3720]Satran,J.,Meth,K.,Sapuntzakis,C.,Chadalapaka,M.,和E.Zeidner,“互联网小型计算机系统接口(iSCSI)”,RFC 3720,2004年4月。
[RFC3722] Bakke, M., "String Profile for Internet Small Computer Systems Interface (iSCSI) Names", RFC 3722, April 2004.
[RFC3722]Bakke,M.,“互联网小型计算机系统接口(iSCSI)名称的字符串配置文件”,RFC 3722,2004年4月。
[RFC3723] Aboba, B., Tseng, J., Walker, J., Rangan, V., and F. Travostino, "Securing Block Storage Protocols over IP", RFC 3723, April 2004.
[RFC3723]Aboba,B.,Tseng,J.,Walker,J.,Rangan,V.,和F.Travostino,“通过IP保护块存储协议”,RFC 37232004年4月。
[RFC2614] Kempf, J. and E. Guttman, "An API for Service Location", RFC 2614, June 1999.
[RFC2614]Kempf,J.和E.Guttman,“服务位置的API”,RFC 26141999年6月。
[SAM2] ANSI T10. "SCSI Architectural Model 2", March 2000.
[SAM2]ANSI T10。“SCSI体系结构模型2”,2000年3月。
[RFC3721] Bakke, M., Hafner, J., Hufferd, J., Voruganti, K., and M. Krueger, "Internet Small Computer Systems Interface (iSCSI) Naming and Discovery", RFC 3721, April 2004.
[RFC3721]Bakke,M.,Hafner,J.,Hufferd,J.,Voruganti,K.,和M.Krueger,“互联网小型计算机系统接口(iSCSI)命名和发现”,RFC 37212004年4月。
[ISNS] Tseng, J., Gibbons, K., Travostino, F., Du Laney, C. and J. Souza, "Internet Storage Name Service", Work in Progress, February 2004.
[ISNS]Tseng,J.,Gibbons,K.,Travostino,F.,Du Laney,C.和J.Souza,“互联网存储名称服务”,正在进行的工作,2004年2月。
[BOOT] Sarkar, P., Missimer, D. and C. Sapuntzakis, "A Standard for Bootstrapping Clients using the iSCSI Protocol", Work in Progress, March 2004.
[BOOT] Sarkar, P., Missimer, D. and C. Sapuntzakis, "A Standard for Bootstrapping Clients using the iSCSI Protocol", Work in Progress, March 2004.translate error, please retry
[RFC3105] Kempf, J. and G. Montenegro, "Finding an RSIP Server with SLP", RFC 3105, October 2001.
[RFC3105]Kempf,J.和G.黑山,“使用SLP查找RSIP服务器”,RFC 3105,2001年10月。
This document was produced by the iSCSI Naming and Discovery team, including Joe Czap, Jim Hafner, John Hufferd, and Kaladhar Voruganti (IBM), Howard Hall (Pirus), Jack Harwood (EMC), Yaron Klein (Sanrad), Marjorie Krueger (HP), Lawrence Lamers (San Valley), Todd Sperry (Adaptec), and Joshua Tseng (Nishan). Thanks also to Julian Satran (IBM) for suggesting the use of SLP for iSCSI discovery, and to Matt Peterson (Caldera) and James Kempf (Sun) for reviewing the document from an SLP perspective.
本文档由iSCSI命名和发现团队制作,包括Joe Czap、Jim Hafner、John Hufferd和Kaladhar Voruganti(IBM)、Howard Hall(Pirus)、Jack Harwood(EMC)、Yaron Klein(Sanrad)、Marjorie Krueger(HP)、Lawrence Lamers(San Valley)、Todd Sperry(Adaptec)和Joshua Tseng(尼山)。还要感谢Julian Satran(IBM)建议将SLP用于iSCSI发现,以及Matt Peterson(Caldera)和James Kempf(Sun)从SLP的角度审阅了该文档。
Authors' Addresses
作者地址
Mark Bakke Cisco Systems, Inc. 7900 International Drive, Suite 400 Bloomington, MN USA 55425
Mark Bakke Cisco Systems,Inc.美国明尼苏达州布卢明顿国际大道7900号400室55425
EMail: mbakke@cisco.com
EMail: mbakke@cisco.com
Kaladhar Voruganti IBM Almaden Research Center 650 Harry Road San Jose, CA 95120
加利福尼亚州圣何塞哈里路650号卡拉达尔·沃鲁甘蒂IBM阿尔马登研究中心,邮编95120
EMail: kaladhar@us.ibm.com
EMail: kaladhar@us.ibm.com
John L. Hufferd IBM Storage Systems Group 5600 Cottle Road San Jose, CA 95193
John L.Hufferd IBM存储系统集团加利福尼亚州圣何塞科特尔路5600号,邮编95193
Phone: +1 408 997-6136 EMail: jlhufferd@comcast.net
Phone: +1 408 997-6136 EMail: jlhufferd@comcast.net
Marjorie Krueger Hewlett-Packard Corporation 8000 Foothills Blvd Roseville, CA 95747-5668, USA
Marjorie Krueger Hewlett-Packard Corporation 8000 Foothills Blvd Roseville, CA 95747-5668, USAtranslate error, please retry
Phone: +1 916 785-2656 EMail: marjorie_krueger@hp.com
Phone: +1 916 785-2656 EMail: marjorie_krueger@hp.com
Todd Sperry Adaptec, Inc. 691 South Milpitas Boulevard Milpitas, Ca. 95035
Todd Sperry Adaptec,Inc.加利福尼亚州米尔皮塔斯南米尔皮塔斯大道691号,邮编95035
Phone: +1 408 957-4980 EMail: todd_sperry@adaptec.com
Phone: +1 408 957-4980 EMail: todd_sperry@adaptec.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。