PJohansson at aol.com
PJohansson at aol.com
Sat Mar 1 03:18:07 PST 1997
* From the SCSI Reflector (scsi at symbios.com), posted by:
* PJohansson at aol.com
In a message dated 97-02-26 20:00:31 EST, rdv at ISI.EDU writes:
<<Note that SBP-2 Login Access and the SCSI RESERVE/RELEASE mechanisms are
ownership for concurrency, but make no effort to control access for security.
Their level of control is by initiator (effectively, network address), with
no distinction made among various processes/subsystems available at a given
network node or address. In addition, access to the functionality at a disk
drive is generally unrestricted (beyond the concept of extent reservations),
so anybody with access to a drive can execute, for example, FORMAT. A
disadvantage of SBP-2 is that it is transport-specific, so code adapted to
use it will be ineffective on Fibre Channel or physical SCSI buses.>>
I think the phrase "...no effort to control access for security..." with
respect to SBP-2 could lead to some misunderstandings.
First, SBP-2 addresses access control at the same level as most other
protocols under the purview of T10: initiator level access control. This is
not to dispute that validity of the observation that finer granularity might
be useful; it is just an observation that SBP-2 falls into the mainstream
with the other T10 protocols such as parallel SCSI and Fibre Channel.
Second, the access control mechanisms that SBP-2 provides are intended to be
complementary to (optional) additional methods defined by the command sets.
There is a difficulty in 1394 with establishing the true, unforged identity
of the initiator. In my own, personal, opinion, this is the principal virtue
of SBP-2 access protocols: known identity of the initiator. I personally
believe that many of the other security issues are best left to the command
sets, a la PERSISTENT RESERVE and PERSISTENT RELEASE in SCSI. Never the less,
SBP-2 does provide a password in its access protocols that gives a fig-leaf
like feeling of protection to those who do not wish to tackle the problem in
their own command sets.
I hope this bit of education helps the discussion, in general.
Congruent Software, Inc.
3998 Whittle Avenue
Oakland, CA 94602
(510) 531-2942 FAX
pjohansson at aol.com
* For SCSI Reflector information, send a message with
* 'info scsi' (no quotes) in the message body to majordomo at symbios.com
More information about the T10