RE: iSCSI Login Questions

To: "Julian Satran" <Julian_Satran@il.ibm.com>, <ips@ece.cmu.edu>
Subject: RE: iSCSI Login Questions
From: "Rod Harrison" <rod.harrison@windriver.com>
Date: Fri, 20 Jul 2001 17:31:52 -0700
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;charset="us-ascii"
Importance: Normal
In-Reply-To: <OF607EA0E9.BC46DFB3-ONC2256A8F.00257B47@telaviv.ibm.com>
Sender: owner-ips@ece.cmu.edu

Julian,

	I am in favour of Steve's suggestion. One thing that I
think was clear to everyone who attended the plugfest is
login complexity / flexibility must be reduced and
simplified.

	If the spec were to mandate that the login PDU MUST only
contain security parameters I believe we would make a
significant move towards better login interoperability.

	The initiator should be allowed to indicate
SecurityContextComplete in the login PDU, but only if it
supports no security.

i.e.

	I->T: Login SecurityContextComplete=yes
or
	I->T: Login AuthMethod=none
			HeaderDigest=none
			DataDigest=none
			SecurityContextComplete=yes

	should both be allowed. But if the initiator is willing to
negotiate security parameters it MUST NOT send the
SecurityContextComplete=yes in the login PDU, which is the
example given by Steve below.

	- Rod

-----Original Message-----
From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On
Behalf Of
Julian Satran
Sent: Thursday, July 19, 2001 11:54 PM
To: ips@ece.cmu.edu
Subject: Re: iSCSI Login Questions


Steve,

comments in text - Julo

Steve Senum <ssenum@cisco.com> on 19-07-2001 23:28:55

Please respond to Steve Senum <ssenum@cisco.com>

To:   ietf-ips <ips@ece.cmu.edu>
cc:
Subject:  iSCSI Login Questions




Julian:

Is the following valid (taking into account the
changes requested from the UNH Plugfest)?

I: Login: AuthMethod:none SecurityContextComplete=Yes

I would assume not, that the initiator must wait
until after the initial exchange of the AuthMethod,
HeaderDigest,
and DataDigest keys to send the SecurityContextComplete
key.
+++ It is correct because either the target will answer with
T->Login AuthMethod:none SecurityContextComplete=Yes (accept
and perhaps
goon)

or it wil send a login reject and drop the connection

+++++
Also, if further simplification of the login process
is desired, the working group might want to consider
requiring
the initiator to send the AuthMethod HeaderDigest and
the DataDigest keys on the first login, so that the
login sequence would always look like:

I: Login:   AuthMethod=a1,a2,aN
            HeaderDigest=hd1,hd2,hdN
            DataDigest=dd1,dd2,ddN
T: LoginPR: AuthMethod=a1
            HeaderDigest=hd1 DataDigest=dd1
...Authentication phase, if needed
I: Text:    SecurityContextComplete=yes
T: Text:    SecurityContextComplete=yes
...Operational Parameter Negotiating phase
...Full Feature Phase

+++
We will consider it
+++

Regards,
Steve Senum

References:
- Re: iSCSI Login Questions
  - From: "Julian Satran" <Julian_Satran@il.ibm.com>

Prev by Date: Re: iSCSI draft-07 Padding
Next by Date: iSCSI state transitions
Prev by thread: Re: iSCSI Login Questions
Next by thread: Re: iSCSI Login Questions
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:04:15 2001
6315 messages in chronological order