|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI LoginMathew, Answers in text - Julo "BURBRIDGE,MATTHEW (HP-UnitedKingdom,ex2)" <matthew_burbridge@hp.com> on 15/03/2001 11:43:33 Please respond to "BURBRIDGE,MATTHEW (HP-UnitedKingdom,ex2)" <matthew_burbridge@hp.com> To: ips@ece.cmu.edu cc: Subject: iSCSI Login Hi Julian, A couple of items: 1) Section 4.1 (iSCSI Rev 5) states that: The target can answer in the following ways: -Login Response with Login Reject (and F bit 1). This is an immediate rejection from the target, that causes the session to terminate I agree that this could be the case for a security breach - authentication failed but what if the target only supports one connection per session and the initiator is attempting to set up another connection. Surely, the new login should be rejected but the session remains intact. +++ will fix - the new text will be: Login Response with Login Reject (and F bit 1). This is an immediate rejection from the target, that causes the connection to terminate. If this connection is the leading or only connection of a session the session is also terminated. ++++ 2) Still on the subject of login: In section 4, page 74, the spec states that: "The initiator and target MAY want to negotiate authentication and data integrity parameters. Once this negotiation is completed, the channel is considered secure." It is unclear as to the mandated handling of conflicting/differing authentication mechanisms negotiated on multiple connections participating in the same session. I propose that the spec should state that if authentication is required then the same authentication method MUST be used on all connections in a session. +++ we are going to add the following clarification text to 8.1 (I hope it answers also your implied question). Each connection in a session may operate in a different security protection mode. Some connection may use private networks and require minimal protection while others may use public networks and require the highest level of protection. ++++ Cheers Matthew Burbridge Network Infrastructure Solutions Hewlett Packard Bristol +44 117 312 7010 E-mail: matthewb@bri.hp.com
Home Last updated: Tue Sep 04 01:05:20 2001 6315 messages in chronological order |