SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: iSCSI: SecurityContextComplete without operational parameters



    Julian,
    
    This thread seems to have gone a bit further than my original request. I
    don't see an answer to the below. Can you please let me know?
    
    Again, all I am asking is that both initiator and target have the same rule.
    It seems simple and constructive to do so. I can rationalize it again if you
    like.
    
    Eddy
    ----- Original Message -----
    From: "Eddy Quicksall" <ESQuicksall@hotmail.com>
    To: "Julian Satran" <Julian_Satran@il.ibm.com>
    Cc: <ips@ece.cmu.edu>
    Sent: Wednesday, July 25, 2001 4:23 PM
    Subject: Re: iSCSI: SecurityContextComplete without operational parameters
    
    
    > I'm not sure we are talking the same thing. What I'm asking is that the
    > target and initiator both have the same rule regarding the fact that "it
    > MUST NOT start sending operational parameters within the same text
    command"
    > when SecurityContextComplete=yes.
    >
    >             If the initiator has been the last to complete the handshake
    it
    >             MUST NOT start sending operational parameters within the same
    >             text command.
    >
    > Eddy
    > ----- Original Message -----
    > From: "Julian Satran" <Julian_Satran@il.ibm.com>
    > To: <ips@ece.cmu.edu>
    > Sent: Wednesday, July 25, 2001 2:49 AM
    > Subject: Re: iSCSI: SecurityContextComplete without operational parameters
    >
    >
    > > Eddy,
    > >
    > > I understood what you are asking but I don't necessarily agree.
    > Operational
    > > parameters are problematic if you want them exchanged in a secure
    > > environment. If not you should be able to handle them as you should be
    > able
    > > to handle
    > > any set of parameters on the same PDU. The need to keep them and perhaps
    > > reset them is part of the negotiation process.
    > >
    > > Julo
    > >
    > > "Eddy Quicksall" <ESQuicksall@hotmail.com> on 24-07-2001 20:35:18
    > >
    > > Please respond to "Eddy Quicksall" <ESQuicksall@hotmail.com>
    > >
    > > To:   Julian Satran/Haifa/IBM@IBMIL
    > > cc:   ips@ece.cmu.edu
    > > Subject:  Re: iSCSI: SecurityContextComplete without operational
    > parameters
    > >
    > >
    > >
    > >
    > > What I was actually asking for is that the target would not send any
    > > operational parameters in the same PDU as the SecurityContextComplete.
    > > Rationalization given below.
    > >
    > > Eddy
    > >
    > > ----- Original Message -----
    > > From: "Julian Satran" <Julian_Satran@il.ibm.com>
    > > To: <ips@ece.cmu.edu>
    > > Sent: Tuesday, July 24, 2001 10:08 AM
    > > Subject: Re: iSCSI: SecurityContextComplete without operational
    parameters
    > >
    > >
    > > > the new text will read:
    > > >
    > > >       If the initiator has been the last to complete the handshake it
    > > MUST
    > > >       NOT start sending operational parameters that need to be
    protected
    > > >       within the same text command; a text response including only
    > > >       SecurityContextComplete=yes concludes the security sub-phase.
    Only
    > > >       the following PDU exchange is protected by digests (if any).
    > > >
    > > > If the target has been the last to complete the handshake, the
    initiator
    > > > can start the operational parameter negotiation with the next text
    > > command;
    > > > the security negotiation sub-phase ends with the target text response.
    > > > However, the target handshake concluding response MUST NOT include
    > > > operational parameters that need to be protected. Only the following
    PDU
    > > > exchange is protected by digests (if any).
    > > >
    > > > Julo
    > > >
    > > > "Eddy Quicksall" <EQuicksall@mediaone.net> on 24-07-2001 15:55:05
    > > >
    > > > Please respond to "Eddy Quicksall" <EQuicksall@mediaone.net>
    > > >
    > > > To:   Julian Satran/Haifa/IBM@IBMIL
    > > > cc:   ips@ece.cmu.edu
    > > > Subject:  iSCSI: SecurityContextComplete without operational
    parameters
    > > >
    > > >
    > > >
    > > >
    > > > In section "4.2 iSCSI Security and Integrity Negotiation", it would be
    > > best
    > > > if the target is required to send SecurityContextComplete=yes without
    > any
    > > > new operational parameters within the same PDU.
    > > >
    > > > It makes coding cleaner because the initiator can have a simple
    > > > send/receive
    > > > loop that pops out when security is complete. If operational
    parameters
    > > are
    > > > allowed with SecurityContextComplete=yes, the initiator's security
    > module
    > > > must also have operational parameter code or it must set flags, leave
    > > > information in buffers, etc that all create messy code.
    > > >
    > > > The spec says:
    > > >
    > > >            If the initiator has been the last to complete the
    handshake
    > > it
    > > >            MUST NOT start sending operational parameters within the
    same
    > > >            text command.
    > > >
    > > > How about if we say the same thing for the target? There shouldn't be
    > any
    > > > harm because I suspect everyone is doing that anyway.
    > > >
    > > > Comments?
    > > >
    > > >
    > > > Eddy_Quicksall@iVivity.com
    > > >
    > > >
    > > >
    > > >
    > > >
    > >
    > >
    > >
    > >
    >
    


Home

Last updated: Tue Sep 04 01:04:11 2001
6315 messages in chronological order