Tech-invite3GPPspaceIETF RFCsSIP
93929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 7147

Definitions of Managed Objects for the Internet Small Computer System Interface (iSCSI)

Pages: 92
Proposed Standard
Obsoletes:  4544
Part 4 of 4 – Pages 88 to 92
First   Prev   None

Top   ToC   RFC7147 - Page 88   prevText

8. Security Considerations

There are a number of management objects defined in this MIB module with a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. These are the tables and objects and their sensitivity/vulnerability: iscsiPortalAttributesTable, iscsiTgtPortalAttributesTable, and iscsiIntrPortalAttributesTable can be used to add or remove IP addresses to be used by iSCSI. iscsiTgtAuthAttributesTable entries can be added or removed, to allow or disallow access to a target by an initiator. Some of the readable objects in this MIB module (i.e., objects with a MAX-ACCESS other than not-accessible) may be considered sensitive or vulnerable in some network environments. It is thus important to control even GET and/or NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. These are the tables and objects and their sensitivity/vulnerability: iscsiNodeAttributesTable, iscsiTargetAttributesTable, and iscsiTgtAuthorization can be used to glean information needed to make connections to the iSCSI targets this module represents. However, it is the responsibility of the initiators and targets involved to authenticate each other to ensure that an inappropriately advertised or discovered initiator or target does not compromise their security. These issues are discussed in [RFC7143].
Top   ToC   RFC7147 - Page 89
   SNMP versions prior to SNMPv3 did not include adequate security.
   Even if the network itself is secure (for example by using IPsec),
   even then, there is no control as to who on the secure network is
   allowed to access and GET/SET (read/change/create/delete) the objects
   in this MIB module.

   Implementations SHOULD provide the security features described by the
   SNMPv3 framework (see [RFC3410]), and implementations claiming
   compliance to the SNMPv3 standard MUST include full support for
   authentication and privacy via the User-based Security Model (USM)
   [RFC3414] with the AES cipher algorithm [RFC3826].  Implementations
   MAY also provide support for the Transport Security Model (TSM)
   [RFC5591] in combination with a secure transport such as SSH
   [RFC5592] or TLS/DTLS [RFC6353].

   Further, deployment of SNMP versions prior to SNMPv3 is NOT
   RECOMMENDED.  Instead, it is RECOMMENDED to deploy SNMPv3 and to
   enable cryptographic security.  It is then a customer/operator
   responsibility to ensure that the SNMP entity giving access to an
   instance of this MIB module is properly configured to give access to
   the objects only to those principals (users) that have legitimate
   rights to indeed GET or SET (change/create/delete) them.

9. IANA Considerations

The MIB module in this document uses the following IANA-assigned OBJECT IDENTIFIER value recorded in the "SMI Network Management MGMT Codes Internet-standard MIB" registry: Descriptor OBJECT IDENTIFIER value ---------- ----------------------- iscsiMibModule { mib-2 142 } IANA has updated the reference for the mib-2 142 identifier to refer to this document.

10. References

10.1. Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
Top   ToC   RFC7147 - Page 90
   [RFC2579]  McCloghrie, K., Ed., Perkins, D., Ed., and J.
              Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD
              58, RFC 2579, April 1999.

   [RFC2580]  McCloghrie, K., Ed., Perkins, D., Ed., and J.
              Schoenwaelder, Ed., "Conformance Statements for SMIv2",
              STD 58, RFC 2580, April 1999.

   [RFC3411]  Harrington, D., Presuhn, R., and B. Wijnen, "An
              Architecture for Describing Simple Network Management
              Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
              December 2002.

   [RFC3414]  Blumenthal, U. and B. Wijnen, "User-based Security Model
              (USM) for version 3 of the Simple Network Management
              Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.

   [RFC3720]  Satran, J., Meth, K., Sapuntzakis, C., Chadalapaka, M.,
              and E. Zeidner, "Internet Small Computer Systems Interface
              (iSCSI)", RFC 3720, April 2004.

   [RFC3826]  Blumenthal, U., Maino, F., and K. McCloghrie, "The
              Advanced Encryption Standard (AES) Cipher Algorithm in the
              SNMP User-based Security Model", RFC 3826, June 2004.

   [RFC4001]  Daniele, M., Haberman, B., Routhier, S., and J.
              Schoenwaelder, "Textual Conventions for Internet Network
              Addresses", RFC 4001, February 2005.

   [RFC4545]  Bakke, M. and J. Muchow, "Definitions of Managed Objects
              for IP Storage User Identity Authorization", RFC 4545, May
              2006.

   [RFC5591]  Harrington, D. and W. Hardaker, "Transport Security Model
              for the Simple Network Management Protocol (SNMP)", RFC
              5591, June 2009.

   [RFC5592]  Harrington, D., Salowey, J., and W. Hardaker, "Secure
              Shell Transport Model for the Simple Network Management
              Protocol (SNMP)", RFC 5592, June 2009.

   [RFC6353]  Hardaker, W., "Transport Layer Security (TLS) Transport
              Model for the Simple Network Management Protocol (SNMP)",
              RFC 6353, July 2011.

   [RFC7143]  Chadalapaka, M., Satran, J., Meth, K., and D. Black,
              "Internet Small Computer System Interface (iSCSI) Protocol
              (Consolidated)", RFC 7143, April 2014.
Top   ToC   RFC7147 - Page 91
   [RFC7144]  Knight, F. and M. Chadalapaka, "Internet Small Computer
              System Interface (iSCSI) SCSI Features Update", RFC 7144,
              April 2014.

10.2. Informative References

[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, December 2002. [RFC4022] Raghunarayan, R., Ed., "Management Information Base for the Transmission Control Protocol (TCP)", RFC 4022, March 2005. [RFC4455] Hallak-Stamler, M., Bakke, M., Lederman, Y., Krueger, M., and K. McCloghrie, "Definition of Managed Objects for Small Computer System Interface (SCSI) Entities", RFC 4455, April 2006. [RFC4544] Bakke, M., Krueger, M., McSweeney, T., and J. Muchow, "Definitions of Managed Objects for Internet Small Computer System Interface (iSCSI)", RFC 4544, May 2006.

11. Acknowledgments

The contents of this document were largely written as RFC 4544 by Mark Bakke (Cisco), Marjorie Krueger (Hewlett-Packard), Tom McSweeney (IBM), and James Muchow (QLogic). A special thank you to Marjorie, Tom, and James for their hard work and especially to James for his attention to detail on this work. In addition to the authors, several people contributed to the development of this MIB module. Thanks especially to those who took the time to participate in our weekly conference calls to build our requirements, object models, table structures, and attributes: John Hufferd, Tom McSweeney (IBM), Kevin Gibbons (Nishan Systems), Chad Gregory (Intel), Jack Harwood (EMC), Hari Mudaliar (Adaptec), Ie Wei Njoo (Agilent), Lawrence Lamers (SAN Valley), Satish Mali (Stonefly Networks), and William Terrell (Troika). Special thanks to Tom McSweeney, Ie Wei Njoo, and Kevin Gibbons, who wrote the descriptions for many of the tables and attributes in this MIB module, to Ayman Ghanem for finding and suggesting changes for many problems in this module, and to Keith McCloghrie for serving as advisor to the team. Thanks to Mike MacFaden (VMWare), David Black (EMC), and Tom Talpey (Microsoft) for their valuable inputs.
Top   ToC   RFC7147 - Page 92

Authors' Addresses

Mark Bakke Dell 7625 Smetana Lane Eden Prairie, MN 55344 USA EMail: mark_bakke@dell.com Prakash Venkatesen HCL Technologies Ltd. 50-53, Greams Road, Chennai - 600006 India EMail: prakashvn@hcl.com