SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: iSCSI login phasing



    Bob,
    
    I like your overall approach, but at this point,
    I would favor Julian's proposal.  If the WG
    wanted to minimize the changes though, I think
    your approach should be looked at some more.
    
    Comment:
    
    I am a bit confused by your iSCSI Target state diagram.
    I would think you should be able to go from T1 to
    either T2 or T4, depending on what the login command
    contained.  Something like login command with
    SecurityContextComplete=yes goes to T4, else goes to T2.
    Also, I would not expect to see T3 (Leave Security) as
    a state.
    
    Regards,
    Steve Senum
    
    "Robert D. Russell" wrote:
    > 
    > All:
    > 
    > Attached are 2 ASCII text files.  Once contains a state diagram
    > for the iSCSI Initiator login phase, the other a state diagram
    > for the iSCSI Target login phase.
    > 
    > The Initiator state machine has only 6 states with 10 allowed
    > transitions, and the Target state machine has only 5 states
    > with 7 allowed transitions.  Both diagrams have the form of
    > a single "spine" with minimal branching.  Error/failure
    > transitions are not shown, since they always result in
    > closing the connection during login (on the target side
    > a reject message may be sent first).
    > 
    > Both of these diagrams are based on draft 7 with simplifications
    > suggested by Julian, Rod Harrison, Steve Senum, Eddy Quicksall,
    > Stephen Bailey, Barry Reinhold, myself and others.
    > 
    > These include:
    > 
    > 1. Every login is split into 2 distinct subphases (security and
    >    operational) with a required demarcation line between them.
    > 
    > 1. Every login starts in the security subphase and must contain
    >    at least the keys: TargetName, InitiatorName, HeaderDigest,
    >    DataDigest, AuthMethod, and optionally SessionType=Normal.
    > 
    > 2. No operational parameters can be negotiated before or during
    >    the security subphase (informational parameters, like
    >    TargetName, although listed in Appendix D, do not require
    >    negotiation and are not considered "operational" here).
    > 
    > 3. The security subphase ends with a required 2- or 3-way handshake of
    >    Text and Text Response PDUs containing only the
    >    SecurityContextComplete=yes key and ending with a message from
    >    the target to the initiator.  The negotiated security functions
    >    become effective only at the successful conclusion of this handshake.
    > 
    > 4. The operational subphase always begins immediately after the
    >    handshake had been completed.  No security parameters can be
    >    negotiated during or after the operational subphase.
    > 
    > 5. The operational subphase ends with a Login Response with F=1 from
    >    the target to the initiator, at which time both target and
    >    initiator are in Full Feature Phase (the final state in both
    >    diagrams).
    > 
    > Comments please.
    > 
    > Bob Russell
    > InterOperability Lab
    > University of New Hampshire
    > rdr@iol.unh.edu
    > 603-862-3774
    > 
    > On Fri, 27 Jul 2001, Julian Satran wrote:
    > 
    > > Dear colleagues,
    > >
    > > As some of you have complained about difficulty in implementing the login
    > > phase I thought it might be worthwhile to consider a slight departure from
    > > the current description.
    > >
    > > The current text assumes that negotiations are forming one tree and the
    > > "login machine" has to parse the tree.
    > > A leaf node will completely define a state and some pathes may get you to
    > > error.
    > >
    > > I was driven to this design by the need to keep the parsing tree minimal
    > > (under the assumption that any split in subtrees
    > > will result is some parameters needing to appear in several subtrees).
    > >
    > > However - after the noisy (mostly UPPERCASE) debate - I came to realize
    > > that few if any have done the generalized mapping I started with, and
    > > implemented a parser,  and ad-hoc, man-glued, engines have to have smaller
    > > trees for the next plugfest (although by then some bright undergraduate
    > > student may take onto himself to give us  an open-source yacc definition of
    > > the login phase!).
    > >
    > > I looked at the 2 phases and the number of key=values that they share are
    > > probably limited today at initiator and target names (some
    > > organizations/configurations want them for authentication while some others
    > > will object to them being revealed in the "open phase") and as such we may
    > > want to slit the login in 2, completely bracketed, phases each of them
    > > optional but not both:
    > >
    > >
    > >    a security phase that if present must start with the login command and
    > >    is bracketed by the pairs SecurityPhase=start and ended by
    > >    SecurityPhase=end (on both initiator and target)
    > >    an operational-parameter-negotiation phase that must follow security
    > >    phase (if there is a security phase) and is bracketed by the pairs
    > >    OperationalPhase=start and OperationalPhase=end (on both initiator and
    > >    target)
    > >
    > >
    > > Some additional rules will apply:
    > >
    > >    No request/response will span phases
    > >    The phase closing handshake can start on both sides but if started at
    > >    target will be followed by an "full initiator target handshake" - i.e a
    > >    new phase or the "curtain close" end always with the target having the
    > >    last word.
    > >    keys will be clearly segregated and only a few (like names) should be
    > >    allowed in both.
    > >
    > >
    > > Comments?
    > >
    > > Julo
    > >
    > >
    > >
    > 
    >   --------------------------------------------------------------------------------
    >                Name: i_states
    >    i_states    Type: Plain Text (TEXT/PLAIN)
    >            Encoding: BASE64
    > 
    >                Name: t_states
    >    t_states    Type: Plain Text (TEXT/PLAIN)
    >            Encoding: BASE64
    


Home

Last updated: Tue Sep 04 01:04:10 2001
6315 messages in chronological order