SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: iSCSI Login Questions



    Barry,
    
    By my reading of the current draft, I don't think
    SecurityContextComplete=no is valid.
    
    Regards,
    Steve Senum
    
    Barry Reinhold wrote:
    > 
    > Steve,
    >         I would think that this is valid independent of the changes that have been
    > discussed at the UNH GTP. The initiator has all the information that it
    > needs for security and is indicating that by setting
    > securitycontextcomplete=yes. If the target responds with with
    > AuthMethod=none and SecurityContextComplete=yes then full security phase is
    > history. However, the initiator needs to be ready to allow the target to
    > continue the negotiation. (i.e. if the initiator receives a PDU back with
    > securitycontextcomplete=no it must continue to send text commands in the
    > security phase even if it does not have any additional parameters it wishes
    > to communicate.) The target may also respond to the AuthMethod=None with
    > AuthMethod=Reject, or it might reject the login with a status of 0x0201
    > (Auth failed).
    >         All of these responses appear to be valid based on 6-97. It would probably
    > benefit us to limit the choices here.
    > >-----Original Message-----
    > >From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
    > >Steve Senum
    > >Sent: Thursday, July 19, 2001 4:29 PM
    > >To: ietf-ips
    > >Subject: iSCSI Login Questions
    > >
    > >
    > >Julian:
    > >
    > >Is the following valid (taking into account the
    > >changes requested from the UNH Plugfest)?
    > >
    > >I: Login: AuthMethod:none SecurityContextComplete=Yes
    > >
    > >I would assume not, that the initiator must wait
    > >until after the initial exchange of the AuthMethod, HeaderDigest,
    > >and DataDigest keys to send the SecurityContextComplete
    > >key.
    > >
    > >Also, if further simplification of the login process
    > >is desired, the working group might want to consider requiring
    > >the initiator to send the AuthMethod HeaderDigest and
    > >the DataDigest keys on the first login, so that the
    > >login sequence would always look like:
    > >
    > >I: Login:   AuthMethod=a1,a2,aN
    > >            HeaderDigest=hd1,hd2,hdN
    > >            DataDigest=dd1,dd2,ddN
    > >T: LoginPR: AuthMethod=a1
    > >            HeaderDigest=hd1 DataDigest=dd1
    > >...Authentication phase, if needed
    > >I: Text:    SecurityContextComplete=yes
    > >T: Text:    SecurityContextComplete=yes
    > >...Operational Parameter Negotiating phase
    > >...Full Feature Phase
    > >
    > >Regards,
    > >Steve Senum
    


Home

Last updated: Tue Sep 04 01:04:15 2001
6315 messages in chronological order