|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: SecurityContextComplete without operational parametersI'm not sure we are talking the same thing. What I'm asking is that the target and initiator both have the same rule regarding the fact that "it MUST NOT start sending operational parameters within the same text command" when SecurityContextComplete=yes. If the initiator has been the last to complete the handshake it MUST NOT start sending operational parameters within the same text command. Eddy ----- Original Message ----- From: "Julian Satran" <Julian_Satran@il.ibm.com> To: <ips@ece.cmu.edu> Sent: Wednesday, July 25, 2001 2:49 AM Subject: Re: iSCSI: SecurityContextComplete without operational parameters > Eddy, > > I understood what you are asking but I don't necessarily agree. Operational > parameters are problematic if you want them exchanged in a secure > environment. If not you should be able to handle them as you should be able > to handle > any set of parameters on the same PDU. The need to keep them and perhaps > reset them is part of the negotiation process. > > Julo > > "Eddy Quicksall" <ESQuicksall@hotmail.com> on 24-07-2001 20:35:18 > > Please respond to "Eddy Quicksall" <ESQuicksall@hotmail.com> > > To: Julian Satran/Haifa/IBM@IBMIL > cc: ips@ece.cmu.edu > Subject: Re: iSCSI: SecurityContextComplete without operational parameters > > > > > What I was actually asking for is that the target would not send any > operational parameters in the same PDU as the SecurityContextComplete. > Rationalization given below. > > Eddy > > ----- Original Message ----- > From: "Julian Satran" <Julian_Satran@il.ibm.com> > To: <ips@ece.cmu.edu> > Sent: Tuesday, July 24, 2001 10:08 AM > Subject: Re: iSCSI: SecurityContextComplete without operational parameters > > > > the new text will read: > > > > If the initiator has been the last to complete the handshake it > MUST > > NOT start sending operational parameters that need to be protected > > within the same text command; a text response including only > > SecurityContextComplete=yes concludes the security sub-phase. Only > > the following PDU exchange is protected by digests (if any). > > > > If the target has been the last to complete the handshake, the initiator > > can start the operational parameter negotiation with the next text > command; > > the security negotiation sub-phase ends with the target text response. > > However, the target handshake concluding response MUST NOT include > > operational parameters that need to be protected. Only the following PDU > > exchange is protected by digests (if any). > > > > Julo > > > > "Eddy Quicksall" <EQuicksall@mediaone.net> on 24-07-2001 15:55:05 > > > > Please respond to "Eddy Quicksall" <EQuicksall@mediaone.net> > > > > To: Julian Satran/Haifa/IBM@IBMIL > > cc: ips@ece.cmu.edu > > Subject: iSCSI: SecurityContextComplete without operational parameters > > > > > > > > > > In section "4.2 iSCSI Security and Integrity Negotiation", it would be > best > > if the target is required to send SecurityContextComplete=yes without any > > new operational parameters within the same PDU. > > > > It makes coding cleaner because the initiator can have a simple > > send/receive > > loop that pops out when security is complete. If operational parameters > are > > allowed with SecurityContextComplete=yes, the initiator's security module > > must also have operational parameter code or it must set flags, leave > > information in buffers, etc that all create messy code. > > > > The spec says: > > > > If the initiator has been the last to complete the handshake > it > > MUST NOT start sending operational parameters within the same > > text command. > > > > How about if we say the same thing for the target? There shouldn't be any > > harm because I suspect everyone is doing that anyway. > > > > Comments? > > > > > > Eddy_Quicksall@iVivity.com > > > > > > > > > > > > > >
Home Last updated: Tue Sep 04 01:04:12 2001 6315 messages in chronological order |