Re: iSCSI Login Questions

["Julian Satran" <Julian_Satran@il.ibm.com>]

Qin,

The question Steve raised was if the example is correct and the example is
correct.

In the example the initiator clearly indicates that it is not offering
any Authentication method ( "none") and it might as well conclude the
security phase.
It does not need any additional exchange.

The target can reject the login.

The fact that it is no such case  included in examples does not make it
incorrect.

As for the SecurityContextComplete Steve has chose a strictly literal
interpretation of the relevant paragraph from 4.2:

      The SecurityContextComplete handshake MUST be performed if any of
      negotiating parties has offered a security/integrity item (even if it
      is not selected).

Julo




Qin Tao <qtao@cs.unh.edu> on 23-07-2001 05:34:33

Please respond to Qin Tao <qtao@cs.unh.edu>

To:   Julian Satran/Haifa/IBM@IBMIL
cc:   ips@ece.cmu.edu
Subject:  Re: iSCSI Login Questions




Hi, Julian:

I don't think "SecurityContextComplete=yes" should be used in the Login
Command together with security parameters(as in Cases 1&3).

Draft 07,Clause 4.1 says:

"-Every party in the security negotiation indicates that it has
 completed building its security context (has all the required
                               ^^^^^^^^^^^^^^^^^
 information) by sending the key=value pair:
 ^^^^^^^^^^^
      SecurityContextComplete=yes"

When Login Command is sending out, the initiator has no idea how the
target would response, how  could it "has all the required information"?
In Case 1, the initiator limits the response from target by providing only
one option for each parameter, so that it has a good guess of the
response. However, "a text response including only
SecurityContextComplete=yes concludes the security sub-phase" (page 101 in
draft 7). The initiator still needs to send SecurityContextComplete=yes
in the next Text Command and wait for a Text Response with
SecurityContextComplete=yes only to end the security sub-phase. It is
meaningless to include the SecurityContextComplete=yes so early in the
Login Command.

If both Cases 2 and 3 are correct, sending "SecurityContextComplete=yes"
becomes optional and loses its value to be used. I also checked the "Login
Phase Examples" in Appendix A and I did not find any example with
"SecurityContextComplete=yes" in Login Command. Could you please give more
explanations on this issue?

Thanks.
Qin




On Sat, 21 Jul 2001, Julian Satran wrote:

>
> Steve,
>
> All are correct.
>
> Julo
>
> Steve Senum <ssenum@cisco.com> on 20-07-2001 21:13:47
>
> Please respond to Steve Senum <ssenum@cisco.com>
>
> To:   ips@ece.cmu.edu
> cc:
> Subject:  Re: iSCSI Login Questions
>
>
>
>
> Julian,
>
> Thanks for the reply.
>
> I have a few of more cases I would like to be sure of.
> Please comment on whether you think the given sequence
> is valid.
>
>
> Case 1:
>
> I-> Login    AuthMethod=none
>              HeaderDigest=crc-32C
>              DataDigest=crc-32C
>              SecurityContextComplete=yes
> T-> Login-PR AuthMethod=none
>              HeaderDigest=crc-32C
>              DataDigest=crc-32C
>              SecurityContextComplete=yes
>
>
> Case 2:
>
> I-> Login    AuthMethod=none
>              HeaderDigest=crc-32C,none
>              DataDigest=crc-32C,none
> T-> Login-PR AuthMethod=none
>              HeaderDigest=crc-32C
>              DataDigest=crc-32C
>              SecurityContextComplete=yes
> I-> Text     SecurityContextComplete=yes
> T-> Text     SecurityContextComplete=yes
>
>
> Case 3:
>
> I-> Login    AuthMethod=none
>              HeaderDigest=crc-32C,none
>              DataDigest=crc-32C,none
>              SecurityContextComplete=yes
> T-> Login-PR AuthMethod=none
>              HeaderDigest=crc-32C
>              DataDigest=crc-32C
>              SecurityContextComplete=yes
>
>
> Thanks,
> Steve Senum
>
>
>
>