SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI Login Questions



    Julian,
    
    	I am in favour of Steve's suggestion. One thing that I
    think was clear to everyone who attended the plugfest is
    login complexity / flexibility must be reduced and
    simplified.
    
    	If the spec were to mandate that the login PDU MUST only
    contain security parameters I believe we would make a
    significant move towards better login interoperability.
    
    	The initiator should be allowed to indicate
    SecurityContextComplete in the login PDU, but only if it
    supports no security.
    
    i.e.
    
    	I->T: Login SecurityContextComplete=yes
    or
    	I->T: Login AuthMethod=none
    			HeaderDigest=none
    			DataDigest=none
    			SecurityContextComplete=yes
    
    	should both be allowed. But if the initiator is willing to
    negotiate security parameters it MUST NOT send the
    SecurityContextComplete=yes in the login PDU, which is the
    example given by Steve below.
    
    	- Rod
    
    -----Original Message-----
    From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On
    Behalf Of
    Julian Satran
    Sent: Thursday, July 19, 2001 11:54 PM
    To: ips@ece.cmu.edu
    Subject: Re: iSCSI Login Questions
    
    
    Steve,
    
    comments in text - Julo
    
    Steve Senum <ssenum@cisco.com> on 19-07-2001 23:28:55
    
    Please respond to Steve Senum <ssenum@cisco.com>
    
    To:   ietf-ips <ips@ece.cmu.edu>
    cc:
    Subject:  iSCSI Login Questions
    
    
    
    
    Julian:
    
    Is the following valid (taking into account the
    changes requested from the UNH Plugfest)?
    
    I: Login: AuthMethod:none SecurityContextComplete=Yes
    
    I would assume not, that the initiator must wait
    until after the initial exchange of the AuthMethod,
    HeaderDigest,
    and DataDigest keys to send the SecurityContextComplete
    key.
    +++ It is correct because either the target will answer with
    T->Login AuthMethod:none SecurityContextComplete=Yes (accept
    and perhaps
    goon)
    
    or it wil send a login reject and drop the connection
    
    +++++
    Also, if further simplification of the login process
    is desired, the working group might want to consider
    requiring
    the initiator to send the AuthMethod HeaderDigest and
    the DataDigest keys on the first login, so that the
    login sequence would always look like:
    
    I: Login:   AuthMethod=a1,a2,aN
                HeaderDigest=hd1,hd2,hdN
                DataDigest=dd1,dd2,ddN
    T: LoginPR: AuthMethod=a1
                HeaderDigest=hd1 DataDigest=dd1
    ...Authentication phase, if needed
    I: Text:    SecurityContextComplete=yes
    T: Text:    SecurityContextComplete=yes
    ...Operational Parameter Negotiating phase
    ...Full Feature Phase
    
    +++
    We will consider it
    +++
    
    Regards,
    Steve Senum
    
    
    
    


Home

Last updated: Tue Sep 04 01:04:15 2001
6315 messages in chronological order