SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: iSCSI Login Questions



    Eddy,
    
    This might make implementations independent of the value semantics (depend
    only on the option being offered) although none is special.
    
    But I am open to other opinions.
    
    In the meantime I'll make the text read:
    
          The SecurityContextComplete handshake MUST be performed if any of
          negotiating parties has offered a security/integrity item and
          regardless of the value or list offered (even if it is not selected).
    
     thanks,
     Julo
    
    "Eddy Quicksall" <ESQuicksall@hotmail.com> on 23-07-2001 21:44:04
    
    Please respond to "Eddy Quicksall" <ESQuicksall@hotmail.com>
    
    To:   Julian Satran/Haifa/IBM@IBMIL
    cc:   ips@ece.cmu.edu
    Subject:  Re: iSCSI Login Questions
    
    
    
    
    One other question that came up at UNH was the following:
    
    If an initiator says "AuthMethod=none<0> DataDigest=none<0>
    HeaderDigest=none" in the initial login, does that mean the parties have to
    use the SecurityContextComplete handshake?
    
    Does the scope of "even if it is not selected" below include the above?
    
    Eddy
    
    ----- Original Message -----
    From: "Julian Satran" <Julian_Satran@il.ibm.com>
    To: <ips@ece.cmu.edu>
    Sent: Monday, July 23, 2001 1:50 AM
    Subject: Re: iSCSI Login Questions
    
    
    >
    > Qin,
    >
    > The question Steve raised was if the example is correct and the example
    is
    > correct.
    >
    > In the example the initiator clearly indicates that it is not offering
    > any Authentication method ( "none") and it might as well conclude the
    > security phase.
    > It does not need any additional exchange.
    >
    > The target can reject the login.
    >
    > The fact that it is no such case  included in examples does not make it
    > incorrect.
    >
    > As for the SecurityContextComplete Steve has chose a strictly literal
    > interpretation of the relevant paragraph from 4.2:
    >
    >       The SecurityContextComplete handshake MUST be performed if any of
    >       negotiating parties has offered a security/integrity item (even if
    it
    >       is not selected).
    >
    > Julo
    >
    >
    >
    >
    > Qin Tao <qtao@cs.unh.edu> on 23-07-2001 05:34:33
    >
    > Please respond to Qin Tao <qtao@cs.unh.edu>
    >
    > To:   Julian Satran/Haifa/IBM@IBMIL
    > cc:   ips@ece.cmu.edu
    > Subject:  Re: iSCSI Login Questions
    >
    >
    >
    >
    > Hi, Julian:
    >
    > I don't think "SecurityContextComplete=yes" should be used in the Login
    > Command together with security parameters(as in Cases 1&3).
    >
    > Draft 07,Clause 4.1 says:
    >
    > "-Every party in the security negotiation indicates that it has
    >  completed building its security context (has all the required
    >                                ^^^^^^^^^^^^^^^^^
    >  information) by sending the key=value pair:
    >  ^^^^^^^^^^^
    >       SecurityContextComplete=yes"
    >
    > When Login Command is sending out, the initiator has no idea how the
    > target would response, how  could it "has all the required information"?
    > In Case 1, the initiator limits the response from target by providing
    only
    > one option for each parameter, so that it has a good guess of the
    > response. However, "a text response including only
    > SecurityContextComplete=yes concludes the security sub-phase" (page 101
    in
    > draft 7). The initiator still needs to send SecurityContextComplete=yes
    > in the next Text Command and wait for a Text Response with
    > SecurityContextComplete=yes only to end the security sub-phase. It is
    > meaningless to include the SecurityContextComplete=yes so early in the
    > Login Command.
    >
    > If both Cases 2 and 3 are correct, sending "SecurityContextComplete=yes"
    > becomes optional and loses its value to be used. I also checked the
    "Login
    > Phase Examples" in Appendix A and I did not find any example with
    > "SecurityContextComplete=yes" in Login Command. Could you please give
    more
    > explanations on this issue?
    >
    > Thanks.
    > Qin
    >
    >
    >
    >
    > On Sat, 21 Jul 2001, Julian Satran wrote:
    >
    > >
    > > Steve,
    > >
    > > All are correct.
    > >
    > > Julo
    > >
    > > Steve Senum <ssenum@cisco.com> on 20-07-2001 21:13:47
    > >
    > > Please respond to Steve Senum <ssenum@cisco.com>
    > >
    > > To:   ips@ece.cmu.edu
    > > cc:
    > > Subject:  Re: iSCSI Login Questions
    > >
    > >
    > >
    > >
    > > Julian,
    > >
    > > Thanks for the reply.
    > >
    > > I have a few of more cases I would like to be sure of.
    > > Please comment on whether you think the given sequence
    > > is valid.
    > >
    > >
    > > Case 1:
    > >
    > > I-> Login    AuthMethod=none
    > >              HeaderDigest=crc-32C
    > >              DataDigest=crc-32C
    > >              SecurityContextComplete=yes
    > > T-> Login-PR AuthMethod=none
    > >              HeaderDigest=crc-32C
    > >              DataDigest=crc-32C
    > >              SecurityContextComplete=yes
    > >
    > >
    > > Case 2:
    > >
    > > I-> Login    AuthMethod=none
    > >              HeaderDigest=crc-32C,none
    > >              DataDigest=crc-32C,none
    > > T-> Login-PR AuthMethod=none
    > >              HeaderDigest=crc-32C
    > >              DataDigest=crc-32C
    > >              SecurityContextComplete=yes
    > > I-> Text     SecurityContextComplete=yes
    > > T-> Text     SecurityContextComplete=yes
    > >
    > >
    > > Case 3:
    > >
    > > I-> Login    AuthMethod=none
    > >              HeaderDigest=crc-32C,none
    > >              DataDigest=crc-32C,none
    > >              SecurityContextComplete=yes
    > > T-> Login-PR AuthMethod=none
    > >              HeaderDigest=crc-32C
    > >              DataDigest=crc-32C
    > >              SecurityContextComplete=yes
    > >
    > >
    > > Thanks,
    > > Steve Senum
    > >
    > >
    > >
    > >
    >
    >
    >
    >
    >
    
    
    
    


Home

Last updated: Tue Sep 04 01:04:14 2001
6315 messages in chronological order