|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI Login QuestionsJulian, I am in favour of Steve's suggestion. One thing that I think was clear to everyone who attended the plugfest is login complexity / flexibility must be reduced and simplified. If the spec were to mandate that the login PDU MUST only contain security parameters I believe we would make a significant move towards better login interoperability. The initiator should be allowed to indicate SecurityContextComplete in the login PDU, but only if it supports no security. i.e. I->T: Login SecurityContextComplete=yes or I->T: Login AuthMethod=none HeaderDigest=none DataDigest=none SecurityContextComplete=yes should both be allowed. But if the initiator is willing to negotiate security parameters it MUST NOT send the SecurityContextComplete=yes in the login PDU, which is the example given by Steve below. - Rod -----Original Message----- From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of Julian Satran Sent: Thursday, July 19, 2001 11:54 PM To: ips@ece.cmu.edu Subject: Re: iSCSI Login Questions Steve, comments in text - Julo Steve Senum <ssenum@cisco.com> on 19-07-2001 23:28:55 Please respond to Steve Senum <ssenum@cisco.com> To: ietf-ips <ips@ece.cmu.edu> cc: Subject: iSCSI Login Questions Julian: Is the following valid (taking into account the changes requested from the UNH Plugfest)? I: Login: AuthMethod:none SecurityContextComplete=Yes I would assume not, that the initiator must wait until after the initial exchange of the AuthMethod, HeaderDigest, and DataDigest keys to send the SecurityContextComplete key. +++ It is correct because either the target will answer with T->Login AuthMethod:none SecurityContextComplete=Yes (accept and perhaps goon) or it wil send a login reject and drop the connection +++++ Also, if further simplification of the login process is desired, the working group might want to consider requiring the initiator to send the AuthMethod HeaderDigest and the DataDigest keys on the first login, so that the login sequence would always look like: I: Login: AuthMethod=a1,a2,aN HeaderDigest=hd1,hd2,hdN DataDigest=dd1,dd2,ddN T: LoginPR: AuthMethod=a1 HeaderDigest=hd1 DataDigest=dd1 ...Authentication phase, if needed I: Text: SecurityContextComplete=yes T: Text: SecurityContextComplete=yes ...Operational Parameter Negotiating phase ...Full Feature Phase +++ We will consider it +++ Regards, Steve Senum
Home Last updated: Tue Sep 04 01:04:15 2001 6315 messages in chronological order |