Re: iSCSI Login

To: ips@ece.cmu.edu
Subject: Re: iSCSI Login
From: julian_satran@il.ibm.com
Date: Thu, 15 Mar 2001 16:34:16 +0200
Content-Disposition: inline
Content-type: text/plain; charset=us-ascii
Sender: owner-ips@ece.cmu.edu



Mathew,

Answers in text - Julo

"BURBRIDGE,MATTHEW (HP-UnitedKingdom,ex2)" <matthew_burbridge@hp.com> on
15/03/2001 11:43:33

Please respond to "BURBRIDGE,MATTHEW (HP-UnitedKingdom,ex2)"
      <matthew_burbridge@hp.com>

To:   ips@ece.cmu.edu
cc:
Subject:  iSCSI Login




Hi Julian,

A couple of items:

1) Section 4.1 (iSCSI Rev 5) states that:

The target can answer in the following ways:

      -Login Response with Login Reject (and F bit 1).  This is an
      immediate rejection from the target, that causes the session to
      terminate

I agree that this could be the case for a security breach - authentication
failed but what if the target only supports one connection per session and
the initiator is attempting to set up another connection.  Surely, the new
login should be rejected but the session remains intact.


+++ will fix - the new text will be:

Login Response with Login Reject (and F bit 1).  This is an immediate
rejection from the target, that causes the connection to terminate. If this
connection is the leading or only connection of a session the session is
also terminated.

++++
2) Still on the subject of login:  In section 4, page 74, the spec states
that:

  "The initiator and target MAY want to negotiate authentication and
   data integrity parameters. Once this negotiation is completed, the
   channel is considered secure."

It is unclear as to the mandated handling of conflicting/differing
authentication mechanisms negotiated on multiple connections participating
in the same session.  I  propose that the spec should state that if
authentication is required then the same authentication method MUST
be used on all connections in a session.


+++ we are going to add the following clarification text to 8.1 (I hope it
answers also your implied question).

   Each connection in a session may operate in a different security
   protection mode.  Some connection may use private networks and require
   minimal protection while others may use public networks and require the
   highest level of protection.

   ++++


Cheers

Matthew Burbridge
Network Infrastructure Solutions
Hewlett Packard
Bristol
+44 117 312 7010
E-mail: matthewb@bri.hp.com

Prev by Date: Re: FCIP iFCP encapsulation proposal
Next by Date: Re: Some thoughts about draft 05 of iSCSI
Prev by thread: iSCSI Login
Next by thread: Re: iSCSI Login
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:05:20 2001
6315 messages in chronological order