SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI: response to second login (with same ISID)



    Stephen, Santosh, and All,
    
    I am a bit weak in my understanding of authentication.  (Is the initiator
    being authenticated, or the driver on the initiator, or the application on
    the initiator, or the user of the application on the initiator, etc.)  My
    impression is that authentication means that something within the initiator
    can somehow prove its identity to the target (and vise versa).  The
    initiator is not proving its intentions.
    
    I know from personal experience how easy it is for an authorized user to
    unintentionally start a second copy of a backup program, while the tape
    drive is still in use.  This should be a harmless mistake.  What kind of
    traffic cop would prevent this request from making it to the iSCSI target
    and terminating the session already in progress?  (Rhetorical question,
    please do not describe for me such a mechanism ;)
    
    I do not dispute the need to be able to clean up stale sessions.  I would
    prefer that this be handled by timeout and/or explicit request rather than
    presuming that *every* "authenticated" request to establish a session with
    the same ISID is an *intentional* attempt to logout any other active session
    with that ISID.
    
    When I attempt a duplicate login for the same ISID, I would like to be able
    to get an error response code for "session already logged in".  Then I would
    have a choice of whether I will quit, try again later, try again immediately
    with a "login unconditionally" flag, or try again with a different ISID.
    
    In some situations, such as kernel drivers, "login unconditionally" could be
    used on every attempt to save time.  The ISID's for kernel drivers may need
    to be reserved (and pre-configured) so that a kernel reboot after an
    ungraceful shutdown will automatically recover all the kernel's sessions.
    However if two copies of an application attempt to open sessions to the same
    iSCSI URL from the same host at the same time, the second should not disrupt
    the first.  I'm not sure what will force them to have different ISID's, or
    how they would even try to each pick a unique one.
    
    I would like to somehow leave the [programmer of the] iSCSI initiator a
    choice.
    
    Whatever mechanism is chosen to globally assign and/or reserve ISID's within
    an initiator is not specified by iSCSI and so will be a local convention.
    Software not adhering to the local convention (perhaps unaware of the
    correct local convention) could at least operate non-disruptively by probing
    for an available ISID, but only if automatic logout of pre-existing sessions
    is never done, or is selectable rather than always unconditional.
    
    So I guess what I am suggesting is a bit in the Login PDU to select behavior
    1) or behavior 2).
    
    "1) REJECT the login with some error code (that the iSCSI initiator can
    understand or infer to mean "ISID in use") and leave the pre-existing
    session alone
    2) CLOSE the pre-existing session (and abort all it's tasks) and then
    process the new login fresh."
    
    I now believe both are needed.
    
    Thanks,
    Nick
    > -----Original Message-----
    > From: Stephen Bailey [mailto:steph@cs.uchicago.edu]
    > Sent: Tuesday, May 22, 2001 9:09 PM
    > To: ips@ece.cmu.edu
    > Subject: Re: iSCSI: response to second login (with same ISID) 
    > 
    > 
    > Nick,
    > 
    > > If I read Steph Bailey's comments on this right (from the 
    > ERT work), the
    > > target would have to authenticate the 2nd login on the same 
    > ISID [as it
    > > does with any other login] and only take action when 
    > authentication is
    > > successful.
    > 
    > What he said.
    > 
    > Steph
    > 
    


Home

Last updated: Tue Sep 04 01:04:38 2001
6315 messages in chronological order