Re: iSCSI Login Questions

To: ips@ece.cmu.edu
Subject: Re: iSCSI Login Questions
From: "Julian Satran" <Julian_Satran@il.ibm.com>
Date: Tue, 24 Jul 2001 10:56:52 +0300
Content-type: text/plain; charset=us-ascii
Importance: Normal
Sender: owner-ips@ece.cmu.edu

Eddy,

This might make implementations independent of the value semantics (depend
only on the option being offered) although none is special.

But I am open to other opinions.

In the meantime I'll make the text read:

      The SecurityContextComplete handshake MUST be performed if any of
      negotiating parties has offered a security/integrity item and
      regardless of the value or list offered (even if it is not selected).

 thanks,
 Julo

"Eddy Quicksall" <ESQuicksall@hotmail.com> on 23-07-2001 21:44:04

Please respond to "Eddy Quicksall" <ESQuicksall@hotmail.com>

To:   Julian Satran/Haifa/IBM@IBMIL
cc:   ips@ece.cmu.edu
Subject:  Re: iSCSI Login Questions




One other question that came up at UNH was the following:

If an initiator says "AuthMethod=none<0> DataDigest=none<0>
HeaderDigest=none" in the initial login, does that mean the parties have to
use the SecurityContextComplete handshake?

Does the scope of "even if it is not selected" below include the above?

Eddy

----- Original Message -----
From: "Julian Satran" <Julian_Satran@il.ibm.com>
To: <ips@ece.cmu.edu>
Sent: Monday, July 23, 2001 1:50 AM
Subject: Re: iSCSI Login Questions


>
> Qin,
>
> The question Steve raised was if the example is correct and the example
is
> correct.
>
> In the example the initiator clearly indicates that it is not offering
> any Authentication method ( "none") and it might as well conclude the
> security phase.
> It does not need any additional exchange.
>
> The target can reject the login.
>
> The fact that it is no such case  included in examples does not make it
> incorrect.
>
> As for the SecurityContextComplete Steve has chose a strictly literal
> interpretation of the relevant paragraph from 4.2:
>
>       The SecurityContextComplete handshake MUST be performed if any of
>       negotiating parties has offered a security/integrity item (even if
it
>       is not selected).
>
> Julo
>
>
>
>
> Qin Tao <qtao@cs.unh.edu> on 23-07-2001 05:34:33
>
> Please respond to Qin Tao <qtao@cs.unh.edu>
>
> To:   Julian Satran/Haifa/IBM@IBMIL
> cc:   ips@ece.cmu.edu
> Subject:  Re: iSCSI Login Questions
>
>
>
>
> Hi, Julian:
>
> I don't think "SecurityContextComplete=yes" should be used in the Login
> Command together with security parameters(as in Cases 1&3).
>
> Draft 07,Clause 4.1 says:
>
> "-Every party in the security negotiation indicates that it has
>  completed building its security context (has all the required
>                                ^^^^^^^^^^^^^^^^^
>  information) by sending the key=value pair:
>  ^^^^^^^^^^^
>       SecurityContextComplete=yes"
>
> When Login Command is sending out, the initiator has no idea how the
> target would response, how  could it "has all the required information"?
> In Case 1, the initiator limits the response from target by providing
only
> one option for each parameter, so that it has a good guess of the
> response. However, "a text response including only
> SecurityContextComplete=yes concludes the security sub-phase" (page 101
in
> draft 7). The initiator still needs to send SecurityContextComplete=yes
> in the next Text Command and wait for a Text Response with
> SecurityContextComplete=yes only to end the security sub-phase. It is
> meaningless to include the SecurityContextComplete=yes so early in the
> Login Command.
>
> If both Cases 2 and 3 are correct, sending "SecurityContextComplete=yes"
> becomes optional and loses its value to be used. I also checked the
"Login
> Phase Examples" in Appendix A and I did not find any example with
> "SecurityContextComplete=yes" in Login Command. Could you please give
more
> explanations on this issue?
>
> Thanks.
> Qin
>
>
>
>
> On Sat, 21 Jul 2001, Julian Satran wrote:
>
> >
> > Steve,
> >
> > All are correct.
> >
> > Julo
> >
> > Steve Senum <ssenum@cisco.com> on 20-07-2001 21:13:47
> >
> > Please respond to Steve Senum <ssenum@cisco.com>
> >
> > To:   ips@ece.cmu.edu
> > cc:
> > Subject:  Re: iSCSI Login Questions
> >
> >
> >
> >
> > Julian,
> >
> > Thanks for the reply.
> >
> > I have a few of more cases I would like to be sure of.
> > Please comment on whether you think the given sequence
> > is valid.
> >
> >
> > Case 1:
> >
> > I-> Login    AuthMethod=none
> >              HeaderDigest=crc-32C
> >              DataDigest=crc-32C
> >              SecurityContextComplete=yes
> > T-> Login-PR AuthMethod=none
> >              HeaderDigest=crc-32C
> >              DataDigest=crc-32C
> >              SecurityContextComplete=yes
> >
> >
> > Case 2:
> >
> > I-> Login    AuthMethod=none
> >              HeaderDigest=crc-32C,none
> >              DataDigest=crc-32C,none
> > T-> Login-PR AuthMethod=none
> >              HeaderDigest=crc-32C
> >              DataDigest=crc-32C
> >              SecurityContextComplete=yes
> > I-> Text     SecurityContextComplete=yes
> > T-> Text     SecurityContextComplete=yes
> >
> >
> > Case 3:
> >
> > I-> Login    AuthMethod=none
> >              HeaderDigest=crc-32C,none
> >              DataDigest=crc-32C,none
> >              SecurityContextComplete=yes
> > T-> Login-PR AuthMethod=none
> >              HeaderDigest=crc-32C
> >              DataDigest=crc-32C
> >              SecurityContextComplete=yes
> >
> >
> > Thanks,
> > Steve Senum
> >
> >
> >
> >
>
>
>
>
>

Prev by Date: Re: iSCSI: specific initiator
Next by Date: Re: iSCSI: Concerns raised about ACA and denial of service conditions
Prev by thread: Re: iSCSI Login Questions
Next by thread: Re: iSCSI Login Questions
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:04:14 2001
6315 messages in chronological order