Network Working Group C. Monia Request for Comments: 4174 Consultant Category: Standards Track J. Tseng Riverbed Technology K. Gibbons McDATA Corporation September 2005
Network Working Group C. Monia Request for Comments: 4174 Consultant Category: Standards Track J. Tseng Riverbed Technology K. Gibbons McDATA Corporation September 2005
The IPv4 Dynamic Host Configuration Protocol (DHCP) Option for the Internet Storage Name Service
Internet存储名称服务的IPv4动态主机配置协议(DHCP)选项
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
Abstract
摘要
This document describes the Dynamic Host Configuration Protocol (DHCP) option to allow Internet Storage Name Service (iSNS) clients to discover the location of the iSNS server automatically through the use of DHCP for IPv4. iSNS provides discovery and management capabilities for Internet SCSI (iSCSI) and Internet Fibre Channel Protocol (iFCP) storage devices in an enterprise-scale IP storage network. iSNS provides intelligent storage management services comparable to those found in Fibre Channel networks, allowing a commodity IP network to function in a similar capacity to that of a storage area network.
本文档介绍了动态主机配置协议(DHCP)选项,该选项允许Internet存储名称服务(iSNS)客户端通过将DHCP用于IPv4自动发现iSNS服务器的位置。iSNS为企业级IP存储网络中的Internet SCSI(iSCSI)和Internet光纤通道协议(iFCP)存储设备提供发现和管理功能。iSNS提供与光纤通道网络中的智能存储管理服务相当的智能存储管理服务,允许商品IP网络以与存储区域网络类似的容量运行。
Table of Contents
目录
1. Introduction ................................................. 2 1.1. Conventions Used in This Document ...................... 2 2. iSNS Option for DHCP ......................................... 3 2.1. iSNS Functions Field ................................... 5 2.2. Discovery Domain Access Field .......................... 6 2.3. Administrative Flags Field ............................. 7 2.4. iSNS Server Security Bitmap ............................ 8 3. Security Considerations ...................................... 9 4. IANA Considerations .......................................... 11
1. Introduction ................................................. 2 1.1. Conventions Used in This Document ...................... 2 2. iSNS Option for DHCP ......................................... 3 2.1. iSNS Functions Field ................................... 5 2.2. Discovery Domain Access Field .......................... 6 2.3. Administrative Flags Field ............................. 7 2.4. iSNS Server Security Bitmap ............................ 8 3. Security Considerations ...................................... 9 4. IANA Considerations .......................................... 11
5. Normative References ......................................... 11 6. Informative References ....................................... 11
5. Normative References ......................................... 11 6. Informative References ....................................... 11
The Dynamic Host Configuration Protocol for IPv4 provides a framework for passing configuration information to hosts. Its usefulness extends to hosts and devices using the iSCSI and iFCP protocols to connect to block level storage assets over a TCP/IP network.
IPv4的动态主机配置协议为向主机传递配置信息提供了一个框架。它的用途扩展到使用iSCSI和iFCP协议通过TCP/IP网络连接到块级存储资产的主机和设备。
The iSNS Protocol provides a framework for automated discovery, management, and configuration of iSCSI and iFCP devices on a TCP/IP network. It provides functionality similar to that found on Fibre Channel networks, except that iSNS works within the context of an IP network. iSNS thereby provides the requisite storage intelligence to IP networks that are standard on existing Fibre Channel networks.
iSNS协议为TCP/IP网络上iSCSI和iFCP设备的自动发现、管理和配置提供了一个框架。它提供的功能与光纤通道网络上的功能类似,只是iSNS在IP网络环境中工作。因此,iSNS为现有光纤通道网络上的标准IP网络提供了必要的存储智能。
Existing DHCP options cannot be used to find iSNS servers for the following reasons:
现有DHCP选项无法用于查找iSNS服务器,原因如下:
a) iSNS functionality is distinctly different from other protocols using DHCP options. Specifically, iSNS provides a significant superset of capabilities compared to typical name resolution protocols such as DNS. It is designed to support client devices that allow themselves to be configured and managed from a central iSNS server.
a) iSNS功能明显不同于使用DHCP选项的其他协议。具体来说,与DNS等典型的名称解析协议相比,iSNS提供了一组重要的功能。它旨在支持客户端设备,这些设备允许从中央iSNS服务器对其进行配置和管理。
b) iSNS requires a DHCP option format that provides more than the location of the iSNS server. The DHCP option has to specify the subset of iSNS services that may be actively used by the iSNS client.
b) iSNS需要DHCP选项格式,该格式提供的不仅仅是iSNS服务器的位置。DHCP选项必须指定iSNS客户端可能正在使用的iSNS服务的子集。
The DHCP option number for iSNS is used by iSCSI and iFCP devices to discover the location and role of the iSNS server. The DHCP option number assigned for iSNS by IANA is 83.
iSNS的DHCP选项号由iSCSI和iFCP设备用于发现iSNS服务器的位置和角色。IANA为iSNS分配的DHCP选项号为83。
iSNS refers to the Internet Storage Name Service framework, which consists of the storage network model and associated services.
iSNS是指Internet存储名称服务框架,它由存储网络模型和相关服务组成。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
All frame formats are in big-endian network byte order. RESERVED fields SHOULD be set to zero.
所有帧格式均为大端网络字节顺序。保留字段应设置为零。
This document uses the following terms:
本文件使用以下术语:
"iSNS Client" - iSNS clients are processes resident in iSCSI and iFCP devices that initiate transactions with the iSNS server using the iSNS Protocol.
“iSNS客户端”-iSNS客户端是驻留在iSCSI和iFCP设备中的进程,它们使用iSNS协议启动与iSNS服务器的事务。
"iSNS Server" - The iSNS server responds to iSNS protocol query and registration messages and initiates asynchronous notification messages. The iSNS server stores information registered by iSNS clients.
“iSNS服务器”-iSNS服务器响应iSNS协议查询和注册消息,并启动异步通知消息。iSNS服务器存储iSNS客户端注册的信息。
"iSCSI (Internet SCSI)" - iSCSI is an encapsulation of SCSI for a new generation of storage devices interconnected with TCP/IP.
“iSCSI(Internet SCSI)”—iSCSI是SCSI的封装,用于与TCP/IP互连的新一代存储设备。
"iFCP (Internet Fibre Channel Protocol)" - iFCP is a gateway-to-gateway protocol designed to interconnect existing Fibre Channel devices using TCP/IP. iFCP maps the Fibre Channel transport and fabric services to TCP/IP.
“iFCP(Internet光纤通道协议)”—iFCP是一种网关到网关协议,旨在使用TCP/IP互连现有光纤通道设备。iFCP将光纤通道传输和结构服务映射到TCP/IP。
This option specifies the location of the primary and backup iSNS servers and the iSNS services available to an iSNS client.
此选项指定iSNS客户端可用的主iSNS服务器和备份iSNS服务器以及iSNS服务的位置。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code = 83 | Length | iSNS Functions | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | DD Access | Administrative FLAGS | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | iSNS Server Security Bitmap | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | a1 | a2 | a3 | a4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | b1 | b2 | b3 | b4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | . . . . | | Additional Secondary iSNS Servers | | . . . . | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code = 83 | Length | iSNS Functions | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | DD Access | Administrative FLAGS | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | iSNS Server Security Bitmap | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | a1 | a2 | a3 | a4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | b1 | b2 | b3 | b4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | . . . . | | Additional Secondary iSNS Servers | | . . . . | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1. iSNS Server Option
图1。iSNS服务器选项
The iSNS Option specifies a list of IP addresses used by iSNS servers. The option contains the following parameters:
iSNS选项指定iSNS服务器使用的IP地址列表。该选项包含以下参数:
Length: The number of bytes that follow the Length field.
长度:长度字段后面的字节数。
iSNS Functions: A bitmapped field defining the functions supported by the iSNS servers. The format of this field is described in section 2.1.
iSNS函数:定义iSNS服务器支持的函数的位图字段。第2.1节描述了该字段的格式。
Discovery Domain Access: A bit field indicating the types of iSNS clients that are allowed to modify Discovery Domains. The field contents are described in section 2.2.
发现域访问:一个位字段,指示允许修改发现域的iSNS客户端的类型。第2.2节描述了字段内容。
Administrative Flags field: Contains the administrative settings for the iSNS servers discovered through the DHCP query. The contents of this field are described in section 2.3.
管理标志字段:包含通过DHCP查询发现的iSNS服务器的管理设置。第2.3节描述了该字段的内容。
iSNS Server Security Bitmap: Contains the iSNS server security settings specified in section 2.4.
iSNS服务器安全位图:包含第2.4节中指定的iSNS服务器安全设置。
a1...a4: Depending on the setting of the Heartbeat bit in the Administrative Flags field (see section 2.3), this field contains either the IP address from which the iSNS heartbeat originates (see [iSNS]) or the IP address of the primary iSNS server.
a1…a4:根据管理标志字段中心跳位的设置(参见第2.3节),此字段包含iSNS心跳起源的IP地址(参见[iSNS])或主iSNS服务器的IP地址。
b1...b4: Depending on the setting of Heartbeat bit in the Administrative Flags field (see section 2.3), this field contains either the IP address of the primary iSNS server or that of a secondary iSNS server.
b1…b4:根据管理标志字段中心跳位的设置(参见第2.3节),此字段包含主iSNS服务器的IP地址或辅助iSNS服务器的IP地址。
Additional Secondary iSNS Servers: Each set of four octets specifies the IP address of a secondary iSNS server.
附加的辅助iSNS服务器:每组四个八位字节指定辅助iSNS服务器的IP地址。
The Code field through IP address field a1...a4 MUST be present in every response to the iSNS query; therefore the Length field has a minimum value of 14.
通过IP地址字段a1…a4的代码字段必须出现在对iSNS查询的每个响应中;因此,长度字段的最小值为14。
If the Heartbeat bit is set in the Administrative Flags field (see section 2.3), then b1...b4 MUST also be present. In this case, the minimum value of the Length field is 18.
如果在管理标志字段中设置了心跳位(参见第2.3节),则b1…b4也必须存在。在这种情况下,长度字段的最小值为18。
The inclusion of Additional Secondary iSNS Servers in the response MUST be indicated by increasing the Length field accordingly.
必须通过相应增加长度字段来指示响应中是否包含其他辅助iSNS服务器。
The iSNS Functions Field defines the iSNS server's operational role (i.e., how the iSNS server is to be used). The iSNS server's role can be as basic as providing simple discovery information, or as significant as providing IKE/IPSec security policies and certificates for the use of iSCSI and iFCP devices. The format of the iSNS Functions field is shown in Figure 2.
iSNS功能字段定义iSNS服务器的操作角色(即如何使用iSNS服务器)。iSNS服务器的作用可以是提供简单的发现信息,也可以是为iSCSI和iFCP设备的使用提供IKE/IPSec安全策略和证书。iSNS函数字段的格式如图2所示。
0 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | RESERVED |S|A|E| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | RESERVED |S|A|E| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2. iSNS Functions Field
图2。iSNS函数字段
Bit Field Significance --------- ------------ 15 Function Fields Enabled 14 DD-Based Authorization 13 Security Policy Distribution
Bit Field Significance --------- ------------ 15 Function Fields Enabled 14 DD-Based Authorization 13 Security Policy Distribution
The following are iSNS Functions Field definitions:
以下是iSNS函数字段定义:
Function Fields Specifies the validity of the remaining Enabled: iSNS Function fields. If it is set to one, then the contents of all other iSNS Function fields are valid. If it is set to zero, then the contents of all other iSNS Function fields MUST be ignored.
函数字段指定其余已启用:iSNS函数字段的有效性。如果设置为1,则所有其他iSNS函数字段的内容均有效。如果设置为零,则必须忽略所有其他iSNS函数字段的内容。
DD-based Indicates whether devices in a common Authorization: Discovery Domain (DD) are implicitly authorized to access one another. Although Discovery Domains control the scope of device discovery, they do not necessarily indicate whether a domain member is authorized to access discovered devices. If this bit is set to one, then devices in a common Discovery Domain are automatically allowed access to each other (if successfully authenticated). If this bit is set to zero, then access authorization is not implied by domain membership and must be explicitly performed by each device. In either case, devices not in a common discovery domain are not allowed to access each other.
基于DD指示公共授权:发现域(DD)中的设备是否被隐式授权相互访问。尽管发现域控制设备发现的范围,但它们不一定表示域成员是否有权访问发现的设备。如果此位设置为1,则自动允许公共发现域中的设备相互访问(如果成功验证)。如果此位设置为零,则域成员身份并不意味着访问授权,必须由每个设备显式执行。在这两种情况下,不允许不在公共发现域中的设备相互访问。
Security Policy Indicates whether the iSNS client is to Distribution: download and use the security policy configuration stored in the iSNS server. If it is set to one, then the policy is stored in the iSNS server and must be used by the iSNS client for its own security policy. If it is set to zero, then the iSNS client must obtain its security policy configuration by other means.
安全策略指示iSNS客户端是否要分发:下载并使用存储在iSNS服务器中的安全策略配置。如果设置为1,则该策略存储在iSNS服务器中,iSNS客户端必须将其用于自己的安全策略。如果设置为零,则iSNS客户端必须通过其他方式获取其安全策略配置。
The format of the DD Access bit field is shown in Figure 3.
DD访问位字段的格式如图3所示。
0 1 1 1 1 1 1 0 ... 9 0 1 2 3 4 5 +---+---+---+---+---+---+---+---+---+ | RESERVED | if| tf| is| ts| C | E | +---+---+---+---+---+---+---+---+---+
0 1 1 1 1 1 1 0 ... 9 0 1 2 3 4 5 +---+---+---+---+---+---+---+---+---+ | RESERVED | if| tf| is| ts| C | E | +---+---+---+---+---+---+---+---+---+
Figure 3. Discovery Domain Access Field
图3。发现域访问字段
Bit Field Significance --------- ------------ 15 Enabled 14 Control Node 13 iSCSI Target 12 iSCSI Initiator 11 iFCP Target Port 10 iFCP Initiator Port
Bit Field Significance --------- ------------ 15 Enabled 14 Control Node 13 iSCSI Target 12 iSCSI Initiator 11 iFCP Target Port 10 iFCP Initiator Port
The following are Discovery Domain Access Field definitions:
以下是发现域访问字段定义:
Enabled: Specifies the validity of the remaining DD Access bit field. If it is set to one, then the contents of the remainder of the DD Access field are valid. If it is set to zero, then the contents of the remainder of this field MUST be ignored.
已启用:指定剩余DD访问位字段的有效性。如果设置为1,则DD访问字段其余部分的内容有效。如果设置为零,则必须忽略此字段其余部分的内容。
Control Node: Specifies whether the iSNS server allows Discovery Domains to be added, modified, or deleted by means of Control Nodes. If it is set to one, then Control Nodes are allowed to modify the Discovery Domain configuration. If it is set to zero, then Control Nodes are not allowed to modify Discovery Domain configurations.
控制节点:指定iSNS服务器是否允许通过控制节点添加、修改或删除发现域。如果将其设置为1,则允许控制节点修改发现域配置。如果将其设置为零,则不允许控制节点修改发现域配置。
iSCSI Target, Determine whether the respective iSCSI Initiator, registered iSNS client (determined iFCP Target Port, by iSCSI Node Type or iFCP Port Role) iFCP Initiator is allowed to add, delete, or modify Port: Discovery Domains. If they are set to one, then modification by the specified client type is allowed. If they are set to zero, then modification by the specified client type is not allowed.
iSCSI目标,确定是否允许相应的iSCSI启动器、已注册的iSNS客户端(由iSCSI节点类型或iFCP端口角色确定的iFCP目标端口)iFCP启动器添加、删除或修改端口:发现域。如果将它们设置为1,则允许通过指定的客户端类型进行修改。如果将它们设置为零,则不允许通过指定的客户端类型进行修改。
(A node may implement multiple node types.)
(一个节点可以实现多种节点类型。)
The format of the Administrative Flags bit field is shown in Figure 4.
管理标志位字段的格式如图4所示。
0 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | RESERVED |D|M|H|E| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | RESERVED |D|M|H|E| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4. Administrative Flags
图4。管理标志
Bit Field Significance --------- ------------ 15 Enabled 14 Heartbeat 13 Management SCNs 12 Default Discovery Domain
Bit Field Significance --------- ------------ 15 Enabled 14 Heartbeat 13 Management SCNs 12 Default Discovery Domain
The following are Administrative Flags Field definitions:
以下是管理标志字段定义:
Enabled: Specifies the validity of the remainder of the Administrative Flags field. If it is set to one, then the contents of the remaining Administrative Flags are valid. If it is set to zero, then the remaining contents MUST be ignored, indicating that iSNS administrative settings are obtained through means other than DHCP.
已启用:指定管理标志字段其余部分的有效性。如果设置为1,则其余管理标志的内容有效。如果设置为零,则必须忽略其余内容,这表明iSNS管理设置是通过DHCP以外的方式获得的。
Heartbeat: Indicates whether the first IP address is the multicast address to which the iSNS heartbeat message is sent. If it is set to one, then a1-a4 contains the heartbeat multicast address and b1-b4 contains the IP address of the
Heartbeat:指示第一个IP地址是否是向其发送iSNS心跳消息的多播地址。如果设置为1,则a1-a4包含心跳多播地址,b1-b4包含心跳多播地址的IP地址
primary iSNS server, followed by the IP address(es) of any backup servers (see Figure 1). If it is set to zero, then a1-a4 contain the IP address of the primary iSNS server, followed by the IP address(es) of any backup servers.
主iSNS服务器,后跟任何备份服务器的IP地址(请参见图1)。如果设置为零,则a1-a4包含主iSNS服务器的IP地址,后跟任何备份服务器的IP地址。
Management SCNs: Indicates whether control nodes are authorized to register for receiving Management State Change Notifications (SCNs). Management SCNs are a special class of State Change Notification whose scope is the entire iSNS database. If this bit is set to one, then control nodes are authorized to register for receiving Management SCNs. If it is set to zero, then control nodes are not authorized to receive Management SCNs (although they may receive normal SCNs).
管理SCN:指示是否授权控制节点注册以接收管理状态更改通知(SCN)。管理SCN是一类特殊的状态更改通知,其范围是整个iSNS数据库。如果此位设置为1,则控制节点有权注册以接收管理SCN。如果设置为零,则控制节点无权接收管理SCN(尽管它们可能接收正常SCN)。
Default Discovery Indicates whether a newly registered Domain: device that is not explicitly placed into a Discovery Domain (DD) and Discovery Domain Set (DDS) should be automatically placed into a default DD and DDS. If it is set to one, then a default DD shall contain all devices in the iSNS database that have not been explicitly placed into a DD by an iSNS client. If it is set to zero, then devices not explicitly placed into a DD are not members of any DD.
默认发现指示是否应将未显式放入发现域(DD)和发现域集(DDS)的新注册域:设备自动放入默认DD和DDS。如果设置为1,则默认DD应包含iSNS数据库中未由iSNS客户端显式放入DD的所有设备。如果设置为零,则未显式放入DD的设备不是任何DD的成员。
The format of the iSNS server security Bitmap field is shown in Figure 5. If valid, this field communicates to the DHCP client the security settings that are required to communicate with the indicated iSNS server.
iSNS服务器安全位图字段的格式如图5所示。如果有效,此字段将与DHCP客户端通信与指定的iSNS服务器通信所需的安全设置。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | RESERVED |T|X|P|A|M|S|E| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | RESERVED |T|X|P|A|M|S|E| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5. iSNS Server Security Bitmap
图5。iSNS服务器安全位图
Bit Field Significance --------- ---------------- 31 Enabled 30 IKE/IPSec 29 Main Mode 28 Aggressive Mode 27 PFS 26 Transport Mode 25 Tunnel Mode
Bit Field Significance --------- ---------------- 31 Enabled 30 IKE/IPSec 29 Main Mode 28 Aggressive Mode 27 PFS 26 Transport Mode 25 Tunnel Mode
The following are iSNS Server Security Bitmap definitions:
以下是iSNS服务器安全位图定义:
Enabled: Specifies the validity of the remainder of the iSNS server security bitmap. If it is set to one, then the contents of the remainder of the field are valid. If it is set to zero, then the contents of the rest of the field are undefined and MUST be ignored.
已启用:指定iSNS服务器安全位图其余部分的有效性。如果设置为1,则字段其余部分的内容有效。如果设置为零,则字段其余部分的内容未定义,必须忽略。
IKE/IPSec: 1 = IKE/IPSec enabled; 0 = IKE/IPSec disabled.
IKE/IPSec:1=已启用IKE/IPSec;0=IKE/IPSec已禁用。
Main Mode: 1 = Main Mode enabled; 0 = Main Mode disabled.
主模式:1=主模式启用;0=主模式已禁用。
Aggressive Mode: 1 = Aggressive Mode enabled; 0 = Aggressive Mode disabled.
主动模式:1=主动模式启用;0=主动模式已禁用。
PFS: 1 = PFS enabled; 0 = PFS disabled.
PFS:1=已启用PFS;0=PFS已禁用。
Transport Mode: 1 = Transport Mode preferred; 0 = No preference.
运输方式:1=首选运输方式;0=没有首选项。
Tunnel Mode: 1 = Tunnel Mode preferred; 0 = No preference.
隧道模式:1=首选隧道模式;0=没有首选项。
If IKE/IPSec is disabled, this indicates that the Internet Key Exchange (IKE) Protocol is not available to configure IPSec keys for iSNS sessions to this iSNS server. It does not necessarily preclude other key exchange methods (e.g., manual keying) from establishing an IPSec security association for the iSNS session.
如果禁用IKE/IPSec,则表示Internet密钥交换(IKE)协议不可用于为此iSNS服务器的iSNS会话配置IPSec密钥。它不一定排除其他密钥交换方法(例如,手动密钥)为iSNS会话建立IPSec安全关联。
If IKE/IPsec is enabled, then for each of the bit pairs <Main Mode, Aggressive Mode> and <Transport Mode, Tunnel Mode>, one of the two bits MUST be set to 1, and the other MUST be set to 0.
如果启用了IKE/IPsec,则对于每个位对<Main Mode,Aggressive Mode>和<Transport Mode,Tunnel Mode>,两个位中的一个必须设置为1,另一个必须设置为0。
For protecting the iSNS option, the DHCP Authentication security option as specified in [RFC3118] may present a problem due to the limited implementation and deployment of the DHCP authentication
为了保护iSNS选项,[RFC3118]中指定的DHCP身份验证安全选项可能会由于DHCP身份验证的实施和部署受到限制而出现问题
option. The IPsec security mechanisms for iSNS itself are specified in [iSNS] to provide confidentiality when sensitive information is distributed via iSNS. See the Security Considerations section of [iSNS] for details and specific requirements for implementation of IPsec.
选项[iSNS]中指定了iSNS本身的IPsec安全机制,以在通过iSNS分发敏感信息时提供保密性。有关实现IPsec的详细信息和具体要求,请参阅[iSNS]的安全注意事项部分。
In addition, [iSNS] describes an authentication block that provides message integrity for multicast or broadcast iSNS messages (i.e., for heartbeat/discovery messages only). See [RFC3723] for further discussion of security for these protocols.
此外,[iSNS]描述了为多播或广播iSNS消息(即,仅用于心跳/发现消息)提供消息完整性的身份验证块。有关这些协议安全性的进一步讨论,请参见[RFC3723]。
If no sensitive information, as described in [iSNS], is being distributed via iSNS, and an Entity is discovered via iSNS, authentication and authorization are handled by the IP Storage protocols whose endpoints are discovered via iSNS; specifically, iFCP [iFCP] and iSCSI [RFC3720]. It is the responsibility of the providers of these services to ensure that an inappropriately advertised or discovered service does not compromise their security.
如果没有[iSNS]中所述的敏感信息通过iSNS分发,并且通过iSNS发现实体,则通过IP存储协议处理身份验证和授权,其端点通过iSNS发现;具体而言,iFCP[iFCP]和iSCSI[RFC3720]。这些服务的提供商有责任确保不适当的广告或发现服务不会损害其安全性。
When no DHCP security is used, there is a risk of distribution of false discovery information (e.g., via the iSNS DHCP option identifying a false iSNS server that distributes the false discovery information). The primary countermeasure for this risk is authentication by the IP storage protocols discovered through iSNS. When this risk is a significant concern, IPsec SAs SHOULD be used (as specified in RFC 3723). For example, if an attacker uses DHCP and iSNS to distribute discovery information that falsely identifies an iSCSI endpoint, that endpoint will lack the credentials necessary to complete IKE authentication successfully, and therefore will be prevented from falsely sending or receiving iSCSI traffic. When this risk of false discovery information is a significant concern and IPsec is implemented for iSNS, IPsec SAs SHOULD also be used for iSNS traffic to prevent use of a false iSNS server; this is more robust than relying only on the IP Storage protocols to detect false discovery information.
如果未使用DHCP安全,则存在分发错误发现信息的风险(例如,通过识别分发错误发现信息的错误iSNS服务器的iSNS DHCP选项)。针对此风险的主要对策是通过iSNS发现的IP存储协议进行身份验证。当此风险是一个重大问题时,应使用IPsec SAs(如RFC 3723中所述)。例如,如果攻击者使用DHCP和iSNS分发错误标识iSCSI端点的发现信息,则该端点将缺少成功完成IKE身份验证所需的凭据,因此将防止错误发送或接收iSCSI通信。当错误发现信息的风险是一个重大问题,并且IPsec是为iSNS实施的时,IPsec SAs也应该用于iSNS流量,以防止使用错误的iSNS服务器;这比仅依靠IP存储协议来检测错误的发现信息更可靠。
When IPsec is implemented for iSNS, there is a risk of a denial-of-service attack based on repeated use of false discovery information that will cause initiation of IKE negotiation. The countermeasures for this are administrative configuration of each iSNS Entity to limit the peers it is willing to communicate with (i.e., by IP address range and/or DNS domain), and maintenance of a negative authentication cache to avoid repeatedly contacting an iSNS Entity that fails to authenticate. These three measures (i.e., IP address range limits, DNS domain limits, negative authentication cache) MUST be implemented for iSNS entities when this DHCP option is used. An analogous argument applies to the IP storage protocols that can be discovered via iSNS as discussed in RFC 3723.
当为iSNS实施IPsec时,存在基于重复使用虚假发现信息的拒绝服务攻击风险,这将导致IKE协商的启动。解决这一问题的对策是对每个iSNS实体进行管理配置,以限制其愿意与之通信的对等方(即,通过IP地址范围和/或DNS域),并维护负面身份验证缓存,以避免重复联系无法进行身份验证的iSNS实体。使用此DHCP选项时,必须为iSNS实体实施这三项措施(即IP地址范围限制、DNS域限制、负面身份验证缓存)。类似的论点适用于可通过iSNS发现的IP存储协议,如RFC 3723中所述。
In addition, use of the techniques described in [RFC2827] and [RFC3833] may also be relevant to reduce denial-of-service attacks.
此外,使用[RFC2827]和[RFC3833]中描述的技术也可能与减少拒绝服务攻击有关。
In accordance with the policy defined in [DHCP], IANA has assigned a value of 83 for this option.
根据[DHCP]中定义的策略,IANA为该选项分配了83的值。
There are no other IANA-assigned values defined by this specification.
本规范未定义其他IANA赋值。
[DHCP] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997.
[DHCP]Droms,R.,“动态主机配置协议”,RFC 21311997年3月。
[iSNS] Tseng, J., Gibbons, K., Travostino, F., Du Laney, C., and J. Souza, "Internet Storage Name Service (iSNS)", RFC 4171, September 2005.
[iSNS]Tseng,J.,Gibbons,K.,Travostino,F.,Du Laney,C.,和J.Souza,“互联网存储名称服务(iSNS)”,RFC 41712005年9月。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages", RFC 3118, June 2001.
[RFC3118]Droms,R.和W.Arbaugh,“DHCP消息的身份验证”,RFC31182001年6月。
[RFC3720] Satran, J., Meth, K., Sapuntzakis, C., Chadalapaka, M., and E. Zeidner, "Internet Small Computer Systems Interface (iSCSI)", RFC 3720, April 2004.
[RFC3720]Satran,J.,Meth,K.,Sapuntzakis,C.,Chadalapaka,M.,和E.Zeidner,“互联网小型计算机系统接口(iSCSI)”,RFC 3720,2004年4月。
[RFC3723] Aboba, B., Tseng, J., Walker, J., Rangan, V., and F. Travostino, "Securing Block Storage Protocols over IP", RFC 3723, April 2004.
[RFC3723]Aboba,B.,Tseng,J.,Walker,J.,Rangan,V.,和F.Travostino,“通过IP保护块存储协议”,RFC 37232004年4月。
[iFCP] Monia, C., Mullendore, R., Travostino, F., Jeong, W., and M. Edwards, "iFCP - A Protocol for Internet Fibre Channel Storage Networking", RFC 4172, September 2005.
[iFCP]Monia,C.,Mullendore,R.,Travostino,F.,Jeong,W.,和M.Edwards,“iFCP-互联网光纤通道存储网络协议”,RFC 4172,2005年9月。
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000.
[RFC2827]Ferguson,P.和D.Senie,“网络入口过滤:击败利用IP源地址欺骗的拒绝服务攻击”,BCP 38,RFC 2827,2000年5月。
[RFC3833] Atkins, D. and R. Austein, "Threat Analysis of the Domain Name System (DNS)", RFC 3833, August 2004.
[RFC3833]Atkins,D.和R.Austein,“域名系统(DNS)的威胁分析”,RFC 38332004年8月。
Authors' Addresses
作者地址
Kevin Gibbons McDATA Corporation 4555 Great America Parkway Santa Clara, CA 95054-1208
Kevin Gibbons McDATA Corporation加利福尼亚州圣克拉拉大美洲大道4555号,邮编95054-1208
Phone: (408) 567-5765 EMail: kevin.gibbons@mcdata.com
电话:(408)567-5765电子邮件:凯文。gibbons@mcdata.com
Charles Monia 7553 Morevern Circle San Jose, CA 95135
查尔斯·莫尼亚7553加利福尼亚州圣何塞莫尔文圈95135
EMail: charles_monia@yahoo.com
EMail: charles_monia@yahoo.com
Josh Tseng Riverbed Technology 501 2nd Street, Suite 410 San Francisco, CA 94107
Josh Tseng河床技术501第二街,套房410旧金山,CA 94107
Phone: (650)274-2109 EMail: joshtseng@yahoo.com
电话:(650)274-2109电子邮件:joshtseng@yahoo.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。