Re: iSCSI: SecurityContextComplete without operational parameters

["Julian Satran" <Julian_Satran@il.ibm.com>]

Eddy,

I am working on it.

Thanks for your patience,
Julo

"Eddy Quicksall" <ESQuicksall@hotmail.com> on 26-07-2001 19:17:58

Please respond to "Eddy Quicksall" <ESQuicksall@hotmail.com>

To:   Julian Satran/Haifa/IBM@IBMIL
cc:   ips@ece.cmu.edu
Subject:  Re: iSCSI: SecurityContextComplete without operational parameters




Julian,

This thread seems to have gone a bit further than my original request. I
don't see an answer to the below. Can you please let me know?

Again, all I am asking is that both initiator and target have the same
rule.
It seems simple and constructive to do so. I can rationalize it again if
you
like.

Eddy
----- Original Message -----
From: "Eddy Quicksall" <ESQuicksall@hotmail.com>
To: "Julian Satran" <Julian_Satran@il.ibm.com>
Cc: <ips@ece.cmu.edu>
Sent: Wednesday, July 25, 2001 4:23 PM
Subject: Re: iSCSI: SecurityContextComplete without operational parameters


> I'm not sure we are talking the same thing. What I'm asking is that the
> target and initiator both have the same rule regarding the fact that "it
> MUST NOT start sending operational parameters within the same text
command"
> when SecurityContextComplete=yes.
>
>             If the initiator has been the last to complete the handshake
it
>             MUST NOT start sending operational parameters within the same
>             text command.
>
> Eddy
> ----- Original Message -----
> From: "Julian Satran" <Julian_Satran@il.ibm.com>
> To: <ips@ece.cmu.edu>
> Sent: Wednesday, July 25, 2001 2:49 AM
> Subject: Re: iSCSI: SecurityContextComplete without operational
parameters
>
>
> > Eddy,
> >
> > I understood what you are asking but I don't necessarily agree.
> Operational
> > parameters are problematic if you want them exchanged in a secure
> > environment. If not you should be able to handle them as you should be
> able
> > to handle
> > any set of parameters on the same PDU. The need to keep them and
perhaps
> > reset them is part of the negotiation process.
> >
> > Julo
> >
> > "Eddy Quicksall" <ESQuicksall@hotmail.com> on 24-07-2001 20:35:18
> >
> > Please respond to "Eddy Quicksall" <ESQuicksall@hotmail.com>
> >
> > To:   Julian Satran/Haifa/IBM@IBMIL
> > cc:   ips@ece.cmu.edu
> > Subject:  Re: iSCSI: SecurityContextComplete without operational
> parameters
> >
> >
> >
> >
> > What I was actually asking for is that the target would not send any
> > operational parameters in the same PDU as the SecurityContextComplete.
> > Rationalization given below.
> >
> > Eddy
> >
> > ----- Original Message -----
> > From: "Julian Satran" <Julian_Satran@il.ibm.com>
> > To: <ips@ece.cmu.edu>
> > Sent: Tuesday, July 24, 2001 10:08 AM
> > Subject: Re: iSCSI: SecurityContextComplete without operational
parameters
> >
> >
> > > the new text will read:
> > >
> > >       If the initiator has been the last to complete the handshake it
> > MUST
> > >       NOT start sending operational parameters that need to be
protected
> > >       within the same text command; a text response including only
> > >       SecurityContextComplete=yes concludes the security sub-phase.
Only
> > >       the following PDU exchange is protected by digests (if any).
> > >
> > > If the target has been the last to complete the handshake, the
initiator
> > > can start the operational parameter negotiation with the next text
> > command;
> > > the security negotiation sub-phase ends with the target text
response.
> > > However, the target handshake concluding response MUST NOT include
> > > operational parameters that need to be protected. Only the following
PDU
> > > exchange is protected by digests (if any).
> > >
> > > Julo
> > >
> > > "Eddy Quicksall" <EQuicksall@mediaone.net> on 24-07-2001 15:55:05
> > >
> > > Please respond to "Eddy Quicksall" <EQuicksall@mediaone.net>
> > >
> > > To:   Julian Satran/Haifa/IBM@IBMIL
> > > cc:   ips@ece.cmu.edu
> > > Subject:  iSCSI: SecurityContextComplete without operational
parameters
> > >
> > >
> > >
> > >
> > > In section "4.2 iSCSI Security and Integrity Negotiation", it would
be
> > best
> > > if the target is required to send SecurityContextComplete=yes without
> any
> > > new operational parameters within the same PDU.
> > >
> > > It makes coding cleaner because the initiator can have a simple
> > > send/receive
> > > loop that pops out when security is complete. If operational
parameters
> > are
> > > allowed with SecurityContextComplete=yes, the initiator's security
> module
> > > must also have operational parameter code or it must set flags, leave
> > > information in buffers, etc that all create messy code.
> > >
> > > The spec says:
> > >
> > >            If the initiator has been the last to complete the
handshake
> > it
> > >            MUST NOT start sending operational parameters within the
same
> > >            text command.
> > >
> > > How about if we say the same thing for the target? There shouldn't be
> any
> > > harm because I suspect everyone is doing that anyway.
> > >
> > > Comments?
> > >
> > >
> > > Eddy_Quicksall@iVivity.com
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> >
>