Re: iSCSI Login Questions

To: "Julian Satran" <Julian_Satran@il.ibm.com>
Subject: Re: iSCSI Login Questions
From: "Eddy Quicksall" <ESQuicksall@hotmail.com>
Date: Mon, 23 Jul 2001 14:44:04 -0400
Cc: <ips@ece.cmu.edu>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"
References: <OFCFCBB342.6BC45DB7-ONC2256A92.001E8C3F@telaviv.ibm.com>
Sender: owner-ips@ece.cmu.edu

One other question that came up at UNH was the following:

If an initiator says "AuthMethod=none<0> DataDigest=none<0>
HeaderDigest=none" in the initial login, does that mean the parties have to
use the SecurityContextComplete handshake?

Does the scope of "even if it is not selected" below include the above?

Eddy

----- Original Message -----
From: "Julian Satran" <Julian_Satran@il.ibm.com>
To: <ips@ece.cmu.edu>
Sent: Monday, July 23, 2001 1:50 AM
Subject: Re: iSCSI Login Questions


>
> Qin,
>
> The question Steve raised was if the example is correct and the example is
> correct.
>
> In the example the initiator clearly indicates that it is not offering
> any Authentication method ( "none") and it might as well conclude the
> security phase.
> It does not need any additional exchange.
>
> The target can reject the login.
>
> The fact that it is no such case  included in examples does not make it
> incorrect.
>
> As for the SecurityContextComplete Steve has chose a strictly literal
> interpretation of the relevant paragraph from 4.2:
>
>       The SecurityContextComplete handshake MUST be performed if any of
>       negotiating parties has offered a security/integrity item (even if
it
>       is not selected).
>
> Julo
>
>
>
>
> Qin Tao <qtao@cs.unh.edu> on 23-07-2001 05:34:33
>
> Please respond to Qin Tao <qtao@cs.unh.edu>
>
> To:   Julian Satran/Haifa/IBM@IBMIL
> cc:   ips@ece.cmu.edu
> Subject:  Re: iSCSI Login Questions
>
>
>
>
> Hi, Julian:
>
> I don't think "SecurityContextComplete=yes" should be used in the Login
> Command together with security parameters(as in Cases 1&3).
>
> Draft 07,Clause 4.1 says:
>
> "-Every party in the security negotiation indicates that it has
>  completed building its security context (has all the required
>                                ^^^^^^^^^^^^^^^^^
>  information) by sending the key=value pair:
>  ^^^^^^^^^^^
>       SecurityContextComplete=yes"
>
> When Login Command is sending out, the initiator has no idea how the
> target would response, how  could it "has all the required information"?
> In Case 1, the initiator limits the response from target by providing only
> one option for each parameter, so that it has a good guess of the
> response. However, "a text response including only
> SecurityContextComplete=yes concludes the security sub-phase" (page 101 in
> draft 7). The initiator still needs to send SecurityContextComplete=yes
> in the next Text Command and wait for a Text Response with
> SecurityContextComplete=yes only to end the security sub-phase. It is
> meaningless to include the SecurityContextComplete=yes so early in the
> Login Command.
>
> If both Cases 2 and 3 are correct, sending "SecurityContextComplete=yes"
> becomes optional and loses its value to be used. I also checked the "Login
> Phase Examples" in Appendix A and I did not find any example with
> "SecurityContextComplete=yes" in Login Command. Could you please give more
> explanations on this issue?
>
> Thanks.
> Qin
>
>
>
>
> On Sat, 21 Jul 2001, Julian Satran wrote:
>
> >
> > Steve,
> >
> > All are correct.
> >
> > Julo
> >
> > Steve Senum <ssenum@cisco.com> on 20-07-2001 21:13:47
> >
> > Please respond to Steve Senum <ssenum@cisco.com>
> >
> > To:   ips@ece.cmu.edu
> > cc:
> > Subject:  Re: iSCSI Login Questions
> >
> >
> >
> >
> > Julian,
> >
> > Thanks for the reply.
> >
> > I have a few of more cases I would like to be sure of.
> > Please comment on whether you think the given sequence
> > is valid.
> >
> >
> > Case 1:
> >
> > I-> Login    AuthMethod=none
> >              HeaderDigest=crc-32C
> >              DataDigest=crc-32C
> >              SecurityContextComplete=yes
> > T-> Login-PR AuthMethod=none
> >              HeaderDigest=crc-32C
> >              DataDigest=crc-32C
> >              SecurityContextComplete=yes
> >
> >
> > Case 2:
> >
> > I-> Login    AuthMethod=none
> >              HeaderDigest=crc-32C,none
> >              DataDigest=crc-32C,none
> > T-> Login-PR AuthMethod=none
> >              HeaderDigest=crc-32C
> >              DataDigest=crc-32C
> >              SecurityContextComplete=yes
> > I-> Text     SecurityContextComplete=yes
> > T-> Text     SecurityContextComplete=yes
> >
> >
> > Case 3:
> >
> > I-> Login    AuthMethod=none
> >              HeaderDigest=crc-32C,none
> >              DataDigest=crc-32C,none
> >              SecurityContextComplete=yes
> > T-> Login-PR AuthMethod=none
> >              HeaderDigest=crc-32C
> >              DataDigest=crc-32C
> >              SecurityContextComplete=yes
> >
> >
> > Thanks,
> > Steve Senum
> >
> >
> >
> >
>
>
>
>
>

References:
- Re: iSCSI Login Questions
  - From: "Julian Satran" <Julian_Satran@il.ibm.com>

Prev by Date: iSCSI: specific initiator
Next by Date: RE: iSCSI Plugfest at UNH (misc issues) (fwd)
Prev by thread: Re: iSCSI Login Questions
Next by thread: Re: iSCSI Login Questions
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:04:15 2001
6315 messages in chronological order