|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI Login QuestionsEddy, This might make implementations independent of the value semantics (depend only on the option being offered) although none is special. But I am open to other opinions. In the meantime I'll make the text read: The SecurityContextComplete handshake MUST be performed if any of negotiating parties has offered a security/integrity item and regardless of the value or list offered (even if it is not selected). thanks, Julo "Eddy Quicksall" <ESQuicksall@hotmail.com> on 23-07-2001 21:44:04 Please respond to "Eddy Quicksall" <ESQuicksall@hotmail.com> To: Julian Satran/Haifa/IBM@IBMIL cc: ips@ece.cmu.edu Subject: Re: iSCSI Login Questions One other question that came up at UNH was the following: If an initiator says "AuthMethod=none<0> DataDigest=none<0> HeaderDigest=none" in the initial login, does that mean the parties have to use the SecurityContextComplete handshake? Does the scope of "even if it is not selected" below include the above? Eddy ----- Original Message ----- From: "Julian Satran" <Julian_Satran@il.ibm.com> To: <ips@ece.cmu.edu> Sent: Monday, July 23, 2001 1:50 AM Subject: Re: iSCSI Login Questions > > Qin, > > The question Steve raised was if the example is correct and the example is > correct. > > In the example the initiator clearly indicates that it is not offering > any Authentication method ( "none") and it might as well conclude the > security phase. > It does not need any additional exchange. > > The target can reject the login. > > The fact that it is no such case included in examples does not make it > incorrect. > > As for the SecurityContextComplete Steve has chose a strictly literal > interpretation of the relevant paragraph from 4.2: > > The SecurityContextComplete handshake MUST be performed if any of > negotiating parties has offered a security/integrity item (even if it > is not selected). > > Julo > > > > > Qin Tao <qtao@cs.unh.edu> on 23-07-2001 05:34:33 > > Please respond to Qin Tao <qtao@cs.unh.edu> > > To: Julian Satran/Haifa/IBM@IBMIL > cc: ips@ece.cmu.edu > Subject: Re: iSCSI Login Questions > > > > > Hi, Julian: > > I don't think "SecurityContextComplete=yes" should be used in the Login > Command together with security parameters(as in Cases 1&3). > > Draft 07,Clause 4.1 says: > > "-Every party in the security negotiation indicates that it has > completed building its security context (has all the required > ^^^^^^^^^^^^^^^^^ > information) by sending the key=value pair: > ^^^^^^^^^^^ > SecurityContextComplete=yes" > > When Login Command is sending out, the initiator has no idea how the > target would response, how could it "has all the required information"? > In Case 1, the initiator limits the response from target by providing only > one option for each parameter, so that it has a good guess of the > response. However, "a text response including only > SecurityContextComplete=yes concludes the security sub-phase" (page 101 in > draft 7). The initiator still needs to send SecurityContextComplete=yes > in the next Text Command and wait for a Text Response with > SecurityContextComplete=yes only to end the security sub-phase. It is > meaningless to include the SecurityContextComplete=yes so early in the > Login Command. > > If both Cases 2 and 3 are correct, sending "SecurityContextComplete=yes" > becomes optional and loses its value to be used. I also checked the "Login > Phase Examples" in Appendix A and I did not find any example with > "SecurityContextComplete=yes" in Login Command. Could you please give more > explanations on this issue? > > Thanks. > Qin > > > > > On Sat, 21 Jul 2001, Julian Satran wrote: > > > > > Steve, > > > > All are correct. > > > > Julo > > > > Steve Senum <ssenum@cisco.com> on 20-07-2001 21:13:47 > > > > Please respond to Steve Senum <ssenum@cisco.com> > > > > To: ips@ece.cmu.edu > > cc: > > Subject: Re: iSCSI Login Questions > > > > > > > > > > Julian, > > > > Thanks for the reply. > > > > I have a few of more cases I would like to be sure of. > > Please comment on whether you think the given sequence > > is valid. > > > > > > Case 1: > > > > I-> Login AuthMethod=none > > HeaderDigest=crc-32C > > DataDigest=crc-32C > > SecurityContextComplete=yes > > T-> Login-PR AuthMethod=none > > HeaderDigest=crc-32C > > DataDigest=crc-32C > > SecurityContextComplete=yes > > > > > > Case 2: > > > > I-> Login AuthMethod=none > > HeaderDigest=crc-32C,none > > DataDigest=crc-32C,none > > T-> Login-PR AuthMethod=none > > HeaderDigest=crc-32C > > DataDigest=crc-32C > > SecurityContextComplete=yes > > I-> Text SecurityContextComplete=yes > > T-> Text SecurityContextComplete=yes > > > > > > Case 3: > > > > I-> Login AuthMethod=none > > HeaderDigest=crc-32C,none > > DataDigest=crc-32C,none > > SecurityContextComplete=yes > > T-> Login-PR AuthMethod=none > > HeaderDigest=crc-32C > > DataDigest=crc-32C > > SecurityContextComplete=yes > > > > > > Thanks, > > Steve Senum > > > > > > > > > > > > >
Home Last updated: Tue Sep 04 01:04:14 2001 6315 messages in chronological order |