Please find herein (and attached) the draft opinion for case PSARC
2008/310, which held inception on 2008/07/09.
I am inviting feedback, comments, revision, and complaints.
Sun
Microsystems Systems Architecture Committee
_________________________________________________________________
Subject: FCoE (Fibre Channel over Ethernet) Target
Submitted by: Zhong Wang
File: PSARC/2008/310/opinion.txt
Date: July 29th, 2008.
Committee: Mark Carlson (opinion written by Mark Martin),
Rick Mathews. Minority: Darren J Moffat
Product Approval Committee:
Solaris PAC
solaris-pac-opinion at sun.com
1. Summary
This project provides FCoE (Fiber Channel over Ethernet) capability to
Solaris
based on COMSTAR (the SCSI target framework) by using selected Gigabit and
10GbE NICs, instead of special hardware adapters (CNA).
2. Decision & Precedence Information
The project is approved as specified in reference [1].
The project may be delivered in a minor release.
The project depends on the following projects.
PSARC/2007/523 COMSTAR: Common Multiprotocol SCSI Target
PSARC/2004/291 Fibre Channel HBA Port Utility
PSARC/2004/571 Nemo - a.k.a. GLD v3
PSARC/2006/357 Crossbow - Network Virtualization and Resource Management
3. Interfaces
Imported interfaces:
- COMSTAR FCA interface
- GLDv3 mac client interface
Exported interfaces:
- fcoe client interface (project private)
- ioctls of fcoe and fcoet drivers (project private)
4. Opinion
One issue raised was related to lack of support for the FC-SP protocol,
which is an emerging security standard for FCoE. The project team
explained that this standard was not full defined, and that security
could be enabled through the network topology (i.e. protected private
networks in the data centers). Further opinion on this issue can be
found in the minority opinion.
An additional issue raised was the lack of an RBAC profile for the fcadm
command. A bug fix will be logged to address this -- it will not be
part of this case.
5. Minority Opinion(s)
The minority voted to deny this case based on the data security issues.
FCoE
has a defined security protcol FC-SP that the project team has chosen not to
implement. The rationale for not implementing it is weak in the opinion
of the
minority. The project team stated that the risk was low because FCoE is
used
only on the local LAN - assuming the local LAN is secure is false it is
often
the most dangerous place on the network. The other part of the
rationale was
the project team claimed that FC-SP hadn't been widely implemented in the
industry. If this is true it presents an opportunity for Sun to lead rather
than trail if we can be the best and most secure implementation of FCoE that
gives us a technical advantage we can market with. However based on the
minorities brief search at least the following vendors have FC-SP
support in at
least one of their FCoE products including Solaris drivers: Emulex, Cisco,
Qlogic (Solaris), Brocade (Solaris).
Even if other vendors don't implement FC-SP for their FCoE implementation if
Solaris does then at least Solaris to Solaris connections can be secured.
FC-SP is important because it provides authentication, data integrity
and data
confidentiality of the data sent over the FC network.
The minority also requests that the case have a TCR to document the security
risks of unprotected FCoE traffic in the man pages and docs.sun.com
documentation. The minority also requests Advice that the project team
write a
Sun Blueprint on how to adequately secure FCoE traffic in the absence of
FC-SP
6. Advisory Information
None.
7. Appendices
7.1. Appendix A: Technical Changes Required
None.
7.2. Appendix B: Technical Changes Advised
None.
7.3. Appendix C: Reference Material
Unless stated otherwise, path names are relative to the case directory
PSARC/2008/310.
1 Onepager
File: onepager
2 Inception minutes
File: 20080709-2008-310-inception
3 Issues
File: issues
4 PSARC 20 Questions.
File: inception-materials/fcoe_target_20q
5 Man page
File: inception-materials/fcadm.man
6 Functional Specification
File: inception-materials/fcoe_target_func_spec_v102.pdf
7.4 Related Non-Sun Projects
Part of fcoet driver source is ported from Open-FCoE (a Linux based software
FCoE implementation) under BSD license.
Homepage is at http://www.open-fcoe.org
PSARC/2008/310 Copyright 2008 Sun Microsystems
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: psarc_2008_310_draft_opinion.txt
URL:
<http://mail.opensolaris.org/pipermail/opensolaris-arc/attachments/20090106/8adbe8fd/attachment.txt>
