tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Glossaries     Architecture     IMS     UICC    |    search     info

RFC 7147

 
 
 

Definitions of Managed Objects for the Internet Small Computer System Interface (iSCSI)

Part 4 of 4, p. 88 to 92
Prev RFC Part

 


prevText      Top      Up      ToC       Page 88 
8.  Security Considerations

   There are a number of management objects defined in this MIB module
   with a MAX-ACCESS clause of read-write and/or read-create.  Such
   objects may be considered sensitive or vulnerable in some network
   environments.  The support for SET operations in a non-secure
   environment without proper protection can have a negative effect on
   network operations.  These are the tables and objects and their
   sensitivity/vulnerability:

      iscsiPortalAttributesTable, iscsiTgtPortalAttributesTable, and
      iscsiIntrPortalAttributesTable can be used to add or remove IP
      addresses to be used by iSCSI.

      iscsiTgtAuthAttributesTable entries can be added or removed, to
      allow or disallow access to a target by an initiator.

   Some of the readable objects in this MIB module (i.e., objects with a
   MAX-ACCESS other than not-accessible) may be considered sensitive or
   vulnerable in some network environments.  It is thus important to
   control even GET and/or NOTIFY access to these objects and possibly
   to even encrypt the values of these objects when sending them over
   the network via SNMP.  These are the tables and objects and their
   sensitivity/vulnerability:

      iscsiNodeAttributesTable, iscsiTargetAttributesTable, and
      iscsiTgtAuthorization can be used to glean information needed to
      make connections to the iSCSI targets this module represents.
      However, it is the responsibility of the initiators and targets
      involved to authenticate each other to ensure that an
      inappropriately advertised or discovered initiator or target does
      not compromise their security.  These issues are discussed in
      [RFC7143].

Top      Up      ToC       Page 89 
   SNMP versions prior to SNMPv3 did not include adequate security.
   Even if the network itself is secure (for example by using IPsec),
   even then, there is no control as to who on the secure network is
   allowed to access and GET/SET (read/change/create/delete) the objects
   in this MIB module.

   Implementations SHOULD provide the security features described by the
   SNMPv3 framework (see [RFC3410]), and implementations claiming
   compliance to the SNMPv3 standard MUST include full support for
   authentication and privacy via the User-based Security Model (USM)
   [RFC3414] with the AES cipher algorithm [RFC3826].  Implementations
   MAY also provide support for the Transport Security Model (TSM)
   [RFC5591] in combination with a secure transport such as SSH
   [RFC5592] or TLS/DTLS [RFC6353].

   Further, deployment of SNMP versions prior to SNMPv3 is NOT
   RECOMMENDED.  Instead, it is RECOMMENDED to deploy SNMPv3 and to
   enable cryptographic security.  It is then a customer/operator
   responsibility to ensure that the SNMP entity giving access to an
   instance of this MIB module is properly configured to give access to
   the objects only to those principals (users) that have legitimate
   rights to indeed GET or SET (change/create/delete) them.

9.  IANA Considerations

   The MIB module in this document uses the following IANA-assigned
   OBJECT IDENTIFIER value recorded in the "SMI Network Management MGMT
   Codes Internet-standard MIB" registry:

   Descriptor        OBJECT IDENTIFIER value
   ----------        -----------------------

   iscsiMibModule       { mib-2 142 }

   IANA has updated the reference for the mib-2 142 identifier to refer
   to this document.

10.  References

10.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2578]  McCloghrie, K., Ed., Perkins, D., Ed., and J.
              Schoenwaelder, Ed., "Structure of Management Information
              Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.

Top      Up      ToC       Page 90 
   [RFC2579]  McCloghrie, K., Ed., Perkins, D., Ed., and J.
              Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD
              58, RFC 2579, April 1999.

   [RFC2580]  McCloghrie, K., Ed., Perkins, D., Ed., and J.
              Schoenwaelder, Ed., "Conformance Statements for SMIv2",
              STD 58, RFC 2580, April 1999.

   [RFC3411]  Harrington, D., Presuhn, R., and B. Wijnen, "An
              Architecture for Describing Simple Network Management
              Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
              December 2002.

   [RFC3414]  Blumenthal, U. and B. Wijnen, "User-based Security Model
              (USM) for version 3 of the Simple Network Management
              Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.

   [RFC3720]  Satran, J., Meth, K., Sapuntzakis, C., Chadalapaka, M.,
              and E. Zeidner, "Internet Small Computer Systems Interface
              (iSCSI)", RFC 3720, April 2004.

   [RFC3826]  Blumenthal, U., Maino, F., and K. McCloghrie, "The
              Advanced Encryption Standard (AES) Cipher Algorithm in the
              SNMP User-based Security Model", RFC 3826, June 2004.

   [RFC4001]  Daniele, M., Haberman, B., Routhier, S., and J.
              Schoenwaelder, "Textual Conventions for Internet Network
              Addresses", RFC 4001, February 2005.

   [RFC4545]  Bakke, M. and J. Muchow, "Definitions of Managed Objects
              for IP Storage User Identity Authorization", RFC 4545, May
              2006.

   [RFC5591]  Harrington, D. and W. Hardaker, "Transport Security Model
              for the Simple Network Management Protocol (SNMP)", RFC
              5591, June 2009.

   [RFC5592]  Harrington, D., Salowey, J., and W. Hardaker, "Secure
              Shell Transport Model for the Simple Network Management
              Protocol (SNMP)", RFC 5592, June 2009.

   [RFC6353]  Hardaker, W., "Transport Layer Security (TLS) Transport
              Model for the Simple Network Management Protocol (SNMP)",
              RFC 6353, July 2011.

   [RFC7143]  Chadalapaka, M., Satran, J., Meth, K., and D. Black,
              "Internet Small Computer System Interface (iSCSI) Protocol
              (Consolidated)", RFC 7143, April 2014.

Top      Up      ToC       Page 91 
   [RFC7144]  Knight, F. and M. Chadalapaka, "Internet Small Computer
              System Interface (iSCSI) SCSI Features Update", RFC 7144,
              April 2014.

10.2.  Informative References

   [RFC3410]  Case, J., Mundy, R., Partain, D., and B. Stewart,
              "Introduction and Applicability Statements for Internet-
              Standard Management Framework", RFC 3410, December 2002.

   [RFC4022]  Raghunarayan, R., Ed., "Management Information Base for
              the Transmission Control Protocol (TCP)", RFC 4022, March
              2005.

   [RFC4455]  Hallak-Stamler, M., Bakke, M., Lederman, Y., Krueger, M.,
              and K. McCloghrie, "Definition of Managed Objects for
              Small Computer System Interface (SCSI) Entities", RFC
              4455, April 2006.

   [RFC4544]  Bakke, M., Krueger, M., McSweeney, T., and J. Muchow,
              "Definitions of Managed Objects for Internet Small
              Computer System Interface (iSCSI)", RFC 4544, May 2006.

11.  Acknowledgments

   The contents of this document were largely written as RFC 4544 by
   Mark Bakke (Cisco), Marjorie Krueger (Hewlett-Packard), Tom McSweeney
   (IBM), and James Muchow (QLogic).  A special thank you to Marjorie,
   Tom, and James for their hard work and especially to James for his
   attention to detail on this work.

   In addition to the authors, several people contributed to the
   development of this MIB module.  Thanks especially to those who took
   the time to participate in our weekly conference calls to build our
   requirements, object models, table structures, and attributes: John
   Hufferd, Tom McSweeney (IBM), Kevin Gibbons (Nishan Systems), Chad
   Gregory (Intel), Jack Harwood (EMC), Hari Mudaliar (Adaptec), Ie Wei
   Njoo (Agilent), Lawrence Lamers (SAN Valley), Satish Mali (Stonefly
   Networks), and William Terrell (Troika).

   Special thanks to Tom McSweeney, Ie Wei Njoo, and Kevin Gibbons, who
   wrote the descriptions for many of the tables and attributes in this
   MIB module, to Ayman Ghanem for finding and suggesting changes for
   many problems in this module, and to Keith McCloghrie for serving as
   advisor to the team.

   Thanks to Mike MacFaden (VMWare), David Black (EMC), and Tom Talpey
   (Microsoft) for their valuable inputs.

Top      Up      ToC       Page 92 
Authors' Addresses

   Mark Bakke
   Dell
   7625 Smetana Lane
   Eden Prairie, MN  55344
   USA

   EMail: mark_bakke@dell.com


   Prakash Venkatesen
   HCL Technologies Ltd.
   50-53, Greams Road,
   Chennai - 600006
   India

   EMail: prakashvn@hcl.com