Differences

This shows you the differences between two versions of the page.

--- nndocs:ata-over-ethernet [2024/08/22 15:23] – Security updates naptastic
+++ nndocs:ata-over-ethernet [2024/08/23 16:02] (current) – remove bug; no longer able to reproduce. naptastic
@@ Line 11: / Line 11: @@
 ===Introduction to ATA over Ethernet (AoE)===
 You will almost certainly never see ATA over Ethernet used in production. It was used in a few SAN products but eventually lost out to iSCSI and Fibre Channel. I'm covering it anyway, and first mainly because it's a good teaching tool. It's easy to get started, and easy to show off different concepts that will become relevant with the more popular technologies. It's also a really handy tool to have in your toolbox for moving data.
-Right now, it has a bug that can cause systems on the network not to shut down or reboot if there's an AoE server on the network, so it shouldn't be used in production. (I need to dig into this.) You can avoid the problem by disconnecting all AoE devices and unloading the aoe module before shutting down the host:
-  rmmod aoe
-If my testing is right, the only things necessary for a host to crash on shutdown are (1) there is an ATA-over-Ethernet device in a broadcast domain your host is part of, and (2) the aoe module is loaded.
 For full support (initiator and target) you just need two packages:
@@ Line 97: / Line 92: @@
 ===Security===
-ATA over Ethernet is intended to run inside of trusted networks. By default, it runs wide open: any host in the same layer 2 broadcast domain has read and write access to any exported volume. Preventing unwanted access has to be done by dividing broadcast domains. Originally that meant physical separation--different network adapters, cables, and switches. Now, that separation is more likely to be implemented inside the switch using VLANs or VXLAN tunnels.
+ATA over Ethernet is intended to run inside of trusted networks. By default, it runs wide open: any host in the same layer 2 broadcast domain has full access to any exported volume. There is no distinction between read-only and read-write access. Preventing unwanted access has to be done by dividing broadcast domains. Originally that meant physical separation--different network adapters, cables, and switches. Now, that separation is more likely to be implemented inside the switch using VLANs or VXLAN tunnels.
-SAN technologies generally have some kind of ACL mechanism. This has benefits for security and discoverability. As a configuration or command-line option, vblade can take one or more MAC addresses to which to restrict access. Hosts not on the list can't (see|access) that device. This should not be considered an especially robust mechanism since Ethernet addresses are nearly trivial to spoof. There is also no distinction between read-only and read-write access.
+SAN technologies generally have some kind of ACL mechanism. This has benefits for security and discoverability. As a configuration or command-line option, vblade can take one or more MAC addresses to which to restrict access. Hosts not on the list can't (see|access) that device. This should not be considered an especially robust mechanism since Ethernet addresses are nearly trivial to spoof.
 As you put these values into these configuration files, imagine that you are actually plugging different hard drives into different computers. It's not about moving data to a different drive anymore; it's about moving the drive to where the user needs it to be, and doing so in a completely virtual way.