Tech-invite3GPPspaceIETF RFCsSIP
929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 4544

Definitions of Managed Objects for Internet Small Computer System Interface (iSCSI)

Pages: 83
Obsoleted by:  7147
Part 1 of 4 – Pages 1 to 14
None   None   Next

ToP   noToC   RFC4544 - Page 1
Network Working Group                                           M. Bakke
Request for Comments: 4544                                 Cisco Systems
Category: Standards Track                                     M. Krueger
                                                         Hewlett-Packard
                                                            T. McSweeney
                                                                     IBM
                                                               J. Muchow
                                                            Qlogic Corp.
                                                                May 2006


                    Definitions of Managed Objects
          for Internet Small Computer System Interface (iSCSI)

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in TCP/IP-based internets. In particular, it defines objects for managing a client using the Internet Small Computer System Interface (iSCSI) protocol (SCSI over TCP).
ToP   noToC   RFC4544 - Page 2

Table of Contents

1. Introduction ....................................................3 2. Specification of Requirements ...................................3 3. The Internet-Standard Management Framework ......................3 4. Relationship to Other MIB Modules ...............................3 5. Relationship to SNMP Contexts ...................................4 6. Discussion ......................................................4 6.1. iSCSI MIB Object Model .....................................5 6.2. iSCSI MIB Table Structure ..................................6 6.3. iscsiInstance ..............................................7 6.4. iscsiPortal ................................................7 6.5. iscsiTargetPortal ..........................................9 6.6. iscsiInitiatorPortal .......................................9 6.7. iscsiNode .................................................10 6.8. iscsiTarget ...............................................10 6.9. iscsiTgtAuthorization .....................................11 6.10. iscsiInitiator ...........................................11 6.11. iscsiIntrAuthorization ...................................11 6.12. iscsiSession .............................................11 6.13. iscsiConnection ..........................................12 6.14. IP Addresses and TCP Port Numbers ........................12 6.15. Descriptors: Using OIDs in Place of Enumerated Types .....13 6.16. Notifications ............................................13 7. MIB Definitions ................................................14 8. Security Considerations ........................................79 9. IANA Considerations ............................................80 10. Normative References ..........................................80 11. Informative References ........................................81 12. Acknowledgements ..............................................81
ToP   noToC   RFC4544 - Page 3

1. Introduction

This document defines a MIB module for iSCSI [RFC3720], used to manage devices that implement the iSCSI protocol.

2. Specification of Requirements

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

3. The Internet-Standard Management Framework

For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580].

4. Relationship to Other MIB Modules

The iSCSI MIB module is normally layered between the SCSI MIB module [RFC4455] and the TCP MIB module [RFC4022], and makes use of the IP Storage (IPS) Identity Authentication MIB module [RFC4545]. Here is how these modules are related: SCSI MIB Within systems where a SCSI layer is present, each iscsiNode, whether it has an initiator role, target role, or both, is related to one SCSI device within the SCSI MIB module. In this case, the iscsiNodeTransportType attribute points to the SCSI transport object within the SCSI MIB module, which in turn contains an attribute that points back to the iscsiNode. In this way, a management station can navigate between the two MIB modules. In systems where a SCSI layer is not present, such as within an iSCSI proxy device, the iscsiNodeTransportType attribute points to the appropriate corresponding object within the appropriate MIB, or is left blank.
ToP   noToC   RFC4544 - Page 4
   TCP MIB   Each iSCSI connection is related to one transport-level
             connection.  Currently, iSCSI uses only TCP; the iSCSI
             connection is related to a TCP connection using its normal
             (protocol, source address, source port, destination
             address, destination port) 5-tuple.

   AUTH MIB  Each iSCSI node that serves a target role can have a list
             of authorized initiators.  Each of the entries in this list
             points to an identity within the IPS Identity
             Authentication MIB module that will be allowed to access
             the target.  iSCSI nodes that serve in an initiator role
             can also have a list of authorized targets.  Each of the
             entries in this list points to an identity within the Auth
             MIB module to which the initiator should attempt to
             establish sessions.  The Auth MIB module includes
             information used to identify initiators and targets by
             their iSCSI name, IP address, and/or credentials.

   This MIB module imports objects from RFCs 2578 [RFC2578], 2579
   [RFC2579], 2580 [RFC2580], and 3411 [RFC3411].  It also imports
   textual conventions from the INET-ADDRESS-MIB [RFC4001].

5. Relationship to SNMP Contexts

Each non-scalar object in the iSCSI MIB module is indexed first by an iSCSI Instance. Each instance is a collection of nodes, portals, sessions, etc., that can define a physical or virtual partitioning of an iSCSI-capable device. The use of an instance works well with partitionable or hierarchical storage devices and fits in logically with other management schemes. Instances do not replace SNMP contexts, however they do provide a very simple way to assign a virtual or physical partition of a device to one or more SNMP contexts, without having to do so for each individual node, portal, and session row.

6. Discussion

This MIB module structure supplies configuration, fault, and statistics information for iSCSI devices [RFC3720]. It is structured around the well-known iSCSI objects, such as targets, initiators, sessions, connections, and the like. This MIB module may also be used to configure access to iSCSI targets, by creating iSCSI Portals and authorization list entries.
ToP   noToC   RFC4544 - Page 5
   It is worthwhile to note that this is an iSCSI MIB module and as such
   reflects only iSCSI objects.  This module does not contain
   information about the SCSI-layer attributes of a device.  If a SCSI
   layer is present, the SCSI MIB module, currently under development,
   may be used to manage SCSI information for a device.

   The iSCSI MIB module consists of several "objects", each of which is
   represented by one or more tables.  This section contains a brief
   description of the "object" hierarchy and a description of each
   object, followed by a discussion of the actual table structure within
   the objects.

6.1. iSCSI MIB Object Model

The top-level object in this structure is the iSCSI instance, which "contains" all of the other objects. iscsiInstance -- A distinct iSCSI entity within the managed system. iscsiPortal -- An IP address used by this instance iscsiTargetPortal -- Contains portal information relevant when the portal -- is used to listen for connections to its targets. iscsiInitiatorPortal -- Contains portal information relevant when the portal -- is used to initiate connections to other targets. iscsiNode -- An iSCSI node can act as an initiator, a target, or both. -- Contains generic (non-role-specific) information. iscsiTarget -- Target-specific iSCSI node information. iscsiTgtAuth -- A list of initiator identities that are allowed -- access to this target. iscsiInitiator -- Initiator-specific iSCSI node information. iscsiIntrAuth -- A list of target identities to which this initiator -- is configured to establish sessions. iscsiSession -- An active iSCSI session between an initiator and target. -- The session's direction may be Inbound (outside -- initiator to our target) or Outbound (our initiator to -- an outside target). iscsiConnection -- An active TCP connection within an iSCSI session.
ToP   noToC   RFC4544 - Page 6
   An iSCSI node can be an initiator, a target, or both.  The iSCSI
   node's portals may be used to initiate connections (initiator) or
   listen for connections (target), depending on whether the iSCSI node
   is acting as an initiator or target.  The iSCSI MIB module assumes
   that any target may be accessed via any portal that can take on a
   target role, although other access controls not reflected in the
   module might limit this.

6.2. iSCSI MIB Table Structure

Each iSCSI object exports one or more tables: an attributes table, and zero or more statistics tables, which augment the attributes table. Since iSCSI is an evolving standard, it is much cleaner to provide statistics and attributes as separate tables, allowing attributes and statistics to be added independently. In a few cases, there are multiple categories of statistics that will likely grow; in this case, an object will contain multiple statistics tables. iscsiObjects iscsiDescriptors iscsiInstance iscsiInstanceAttributesTable iscsiInstanceSsnErrorStatsTable -- Counts abnormal session terminations iscsiPortal iscsiPortalAttributesTable iscsiTargetPortal iscsiTgtPortalAttributesTable iscsiInitiatorPortal iscsiIntrPortalAttributesTable iscsiNode iscsiNodeAttributesTable iscsiTarget iscsiTargetAttributesTable iscsiTargetLoginStatsTable -- Counts successful and unsuccessful logins iscsiTargetLogoutStatsTable -- Counts normal and abnormal logouts iscsiTgtAuthorization iscsiTgtAuthAttributesTable iscsiInitiator iscsiInitiatorAttributesTable iscsiInitiatorLoginStatsTable -- Counts successful and unsuccessful logins iscsiInitiatorLogoutStatsTable -- Counts normal and abnormal logouts iscsiIntrAuthorization iscsiIntrAuthAttributesTable
ToP   noToC   RFC4544 - Page 7
     iscsiSession
       iscsiSessionAttributesTable
       iscsiSessionStatsTable
         -- Performance-related counts (requests, responses, bytes)
       iscsiSessionCxnErrorStatsTable
         -- Counts digest errors, connection errors, etc.
     iscsiConnection
       iscsiConnectionAttributesTable

   Note that this module does not attempt to count everything that could
   be counted; it is designed to include only those counters that would
   be useful for identifying performance, security, and fault problems
   from a management station.

6.3. iscsiInstance

The iscsiInstanceAttributesTable is the primary table of the iSCSI MIB module. Every table entry in this module is "owned" by exactly one iSCSI instance; all other table entries in the module include this table's index as their primary index. Most implementations will include just one iSCSI instance row in this table. However, this table exists to allow for multiple virtual instances. For example, many IP routing products now allow multiple virtual routers. The iSCSI MIB module has the same premise; a large system could be "partitioned" into multiple, distinct virtual systems. This also allows a single SNMP agent to proxy for multiple subsystems, perhaps a set of stackable devices, each of which has one or even more instances. The instance attributes include the iSCSI vendor and version, as well as information on the last target or initiator at the other end of a session that caused a session failure. The iscsiInstanceSsnErrorStatsTable augments the attributes table and provides statistics on session failures due to digest, connection, or iSCSI format errors.

6.4. iscsiPortal

The iscsiPortalAttributesTable lists iSCSI portals that can be used to listen for connections to targets, to initiate connections to other targets, or to do both.
ToP   noToC   RFC4544 - Page 8
   Each row in the table includes an IP address (either v4 or v6), and a
   transport protocol (currently only TCP is defined).  Each portal may
   have additional attributes, depending on whether it is an initiator
   portal, a target portal, or both.  Initiator portals also have portal
   tags; these are placed in corresponding rows in the
   iscsiIntrPortalAttributesTable.  Target portals have both portal tags
   and ports (e.g., TCP listen ports if the transport protocol is TCP);
   these are placed in rows in the iscsiTgtPortalAttributesTable.

   Portal rows, along with their initiator and target portal
   counterparts, may be created and destroyed through this MIB module by
   a management station.  Rows in the initiator and target portal tables
   are created and destroyed automatically by the agent, whenever a row
   is created or destroyed in the iscsiPortalAttributesTable, or if the
   value of iscsiPortalRoles changes.  Attributes in these tables may
   then be modified by the management station if the agent
   implementation allows.

   When created by a management station, the iscsiPortalRoles attribute
   is used to control row creation in the initiator and target portal
   tables.  Creating a row with the targetTypePortal bit set in
   iscsiPortalRoles will cause the implementation to start listening for
   iSCSI connections on the portal.  Creating a row with the
   initiatorTypePortal bit set in iscsiPortalRoles will not necessarily
   cause connections to be established; it is left to the implementation
   whether and when to make use of the portal.  Both bits may be set if
   the portal is to be used by both initiator and target nodes.

   When deleting a row in the iscsiPortalAttibutesTable, all connections
   associated with that row are terminated.  The implementation may
   either terminate the connection immediately or request a clean
   shutdown as specified in [RFC3720].  An outbound connection (when an
   iscsiInitiatorPortal is deleted) matches the portal if its
   iscsiCxnLocalAddr matches the iscsiPortalAddr.  An inbound connection
   (when an iscsiTargetPortal is deleted) matches the portal if its
   iscsiCxnLocalAddr matches the iscsiPortalAddr, and its
   iscsiCxnLocalPort matches the iscsiTargetPortalPort.

   Individual objects within a row in this table may not be modified
   while the row is active.  For instance, changing the IP address of a
   portal requires that the rows associated with the old IP address be
   deleted, and new rows be created (in either order).
ToP   noToC   RFC4544 - Page 9

6.5. iscsiTargetPortal

The iscsiTgtPortalAttributesTable contains target-specific attributes for iSCSI portals. Rows in this table use the same indices as their corresponding rows in the iscsiPortalAttributesTable, with the addition of iscsiNodeIndex. Rows in this table are created when the targetTypePortal bit is set in the iscsiPortalRoles attribute of the corresponding iscsiPortalAttributesEntry; they are destroyed when this bit is cleared. This table contains the TCP (or other protocol) port on which the socket is listening for incoming connections. It also includes a portal group aggregation tag; iSCSI target portals within this instance sharing the same tag can contain connections within the same session. This table will be empty for iSCSI instances that contain only initiators (such as iSCSI host driver implementations). Many implementations use the same target portal tag and protocol port for all nodes accessed via a portal. These implementations will create a single row in the iscsiTgtPortalAttributeTable, with an iscsiNodeIndex of zero. Other implementations do not use the same tag and/or port for all nodes; these implementations will create a row in this table for each (portal, node) tuple, using iscsiNodeIndex to designate the node for this portal tag and port.

6.6. iscsiInitiatorPortal

The iscsiIntrPortalAttributesTable contains initiator-specific objects for iSCSI portals. Rows in this table use the same indices as their corresponding entries in the iscsiPortalAttributesTable. A row in this table is created when the initiatorTypePortal bit is set in the iscsiPortalRoles attribute; it is destroyed when this bit is cleared. Each row in this table contains a portal group aggregation tag, indicating which portals an initiator may use together within a multiple-connection session. This table will be empty for iSCSI instances that contain only targets (such as most iSCSI devices).
ToP   noToC   RFC4544 - Page 10
   Many implementations use the same initiator tag for all nodes
   accessing targets via a given portal.  These implementations will
   create a single row in iscsiIntrPortalAttributeTable, with an
   iscsiNodeIndex of zero.

   Other implementations do not use the same tag and/or port for all
   nodes; these implementations will create a row in this table for each
   (portal, node) tuple, using iscsiNodeIndex to designate the node for
   this portal tag and port.

6.7. iscsiNode

The iscsiNodeAttributesTable contains a list of iSCSI nodes, each of which may have an initiator role, a target role, or both. This table contains the node's attributes that are common to both roles, such as its iSCSI name and alias string. Attributes specific to initiators or targets are available in the iscsiTarget and iscsiInitiator objects. Each row in this table that can fulfill a target role has a corresponding row in the iscsiTarget table; each entry that fulfills an initiator role has a row in the iscsiInitiator table. Nodes such as copy managers that can take on both roles have a corresponding row in each table. This table also contains the login negotiations preferences for this node. These objects indicate the values this node will offer or prefer in the operational negotiation phase of the login process. For most implementations, each entry in the table also contains a RowPointer to the transport table entry in the SCSI MIB module that this iSCSI node represents. For implementations without a standard SCSI layer above iSCSI, such as an iSCSI proxy or gateway, this RowPointer can point to a row in an implementation-specific table that this iSCSI node represents.

6.8. iscsiTarget

The iscsiTargetAttributesTable contains target-specific attributes for iSCSI nodes. Each entry in this table uses the same index values as its corresponding iscsiNode entry. This table contains attributes used to indicate the last failure that was (or should have been) sent as a notification. This table is augmented by the iscsiTargetLoginStatsTable and the iscsiTargetLogoutStatsTable, which count the numbers of normal and abnormal logins and logouts to this target.
ToP   noToC   RFC4544 - Page 11

6.9. iscsiTgtAuthorization

The iscsiTgtAuthAttributesTable contains an entry for each initiator identifier that will be allowed to access the target under which it appears. Each entry contains a RowPointer to a user identity in the IPS Authorization MIB module, which contains the name, address, and credential information necessary to authenticate the initiator.

6.10. iscsiInitiator

The iscsiInitiatorAttributesTable contains a list of initiator- specific attributes for iSCSI nodes. Each entry in this table uses the same index values as its corresponding iscsiNode entry. Most implementations will include a single entry in this table, regardless of the number of physical interfaces the initiator may use. This table is augmented by the iscsiInitiatorLoginStatsTable and the iscsiInitiatorLogoutStatsTable, which count the numbers of normal and abnormal logins and logouts from this initiator.

6.11. iscsiIntrAuthorization

The iscsiIntrAuthAttributesTable contains an entry for each target identifier to which the initiator is configured to establish a session. Each entry contains a RowPointer to a user identity in the IPS Authorization MIB module, which contains the name, address, and credential information necessary to identify (for discovery purposes) and authenticate the target.

6.12. iscsiSession

The iscsiSessionAttributesTable contains a set of rows that list the sessions known to be existing locally for each node in each iSCSI instance. The session type for each session indicates whether the session is used for normal SCSI commands or for discovery using the SendTargets text command. Discovery sessions that do not belong to any particular node have a node index attribute of zero.
ToP   noToC   RFC4544 - Page 12
   The session direction for each session indicates whether it is an
   Inbound session or an Outbound session.  Inbound sessions are from
   some other initiator to the target node under which the session
   appears.  Outbound sessions are from the initiator node under which
   the session appears to a target outside this iSCSI instance.

   Many attributes may be negotiated when starting an iSCSI session.
   Most of these attributes are included in the session object.

   Some attributes, such as the integrity and authentication schemes,
   have some standard values that can be extended by vendors to include
   their own schemes.  These contain an object identifier, rather than
   the expected enumerated type, to allow these values to be extended by
   other MIB modules, such as an enterprise MIB module.

   The iscsiSessionStatsTable includes statistics related to
   performance; it counts iSCSI data bytes and PDUs.

   For implementations that support error recovery without terminating a
   session, the iscsiSessionCxnErrorStatsTable contains counters for the
   numbers of digest and connection errors that have occurred within the
   session.

6.13. iscsiConnection

The iscsiConnectionAttributesTable contains a list of active connections within each session. It contains the IP addresses and TCP (or other protocol) ports of both the local and remote sides of the connection. These may be used to locate other connection-related information and statistics in the TCP MIB module [RFC4022]. The attributes table also contains a connection state. This state is not meant to directly map to the state tables included within the iSCSI specification; they are meant to be simplified, higher-level definitions of connection state that provide information more useful to a user or network manager. No statistics are kept for connections.

6.14. IP Addresses and TCP Port Numbers

The IP addresses in this module are represented by two attributes, one of type InetAddressType, and the other of type InetAddress. These are taken from [RFC4001], which specifies how to support addresses that may be either IPv4 or IPv6.
ToP   noToC   RFC4544 - Page 13
   The TCP port numbers that appear in a few of the structures are
   described as simply port numbers, with a protocol attribute
   indicating whether they are TCP ports or something else.  This will
   allow the module to be compatible with iSCSI over transports other
   than TCP in the future.

6.15. Descriptors: Using OIDs in Place of Enumerated Types

The iSCSI MIB module has a few attributes, namely, the digest method attributes, where an enumerated type would work well, except that an implementation may need to extend the attribute and add types of its own. To make this work, this MIB module defines a set of object identities within the iscsiDescriptors subtree. Each of these object identities is basically an enumerated type. Attributes that make use of these object identities have a value that is an Object Identifier (OID) instead of an enumerated type. These OIDs can indicate either the object identities defined in this module or object identities defined elsewhere, such as in an enterprise MIB module. Those implementations that add their own digest methods should also define a corresponding object identity for each of these methods within their own enterprise MIB module, and return its OID whenever one of these attributes is using that method.

6.16. Notifications

Three notifications are provided. One is sent by an initiator detecting a critical login failure, another is sent by a target detecting a critical login failure, and the third is sent upon a session being terminated due to an abnormal connection or digest failure. Critical failures are defined as those that may expose security-related problems that may require immediate action, such as failures due to authentication, authorization, or negotiation problems. Attributes in the initiator, target, and instance objects provide the information necessary to send in the notification, such as the initiator or target name and IP address at the other end that may have caused the failure. To avoid sending an excessive number of notifications due to multiple errors counted, an SNMP agent implementing the iSCSI MIB module SHOULD NOT send more than three iSCSI notifications in any 10-second period. The 3-in-10 rule was chosen because one notification every three seconds was deemed often enough, but should two or three different notifications happen at the same time, it would not be desirable to suppress them. Three notifications in 10 seconds is a happy medium,
ToP   noToC   RFC4544 - Page 14
   where a short burst of notifications is allowed, without inundating
   the network and/or notification host with a large number of
   notifications.



(page 14 continued on part 2)

Next Section