SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI Re: Questions on iSCSI 07



    Hi Julian,
    
    I have a question on Lee's Q7 and your answer.
    
    If the old session is still alive, does it mean that there is at least one
    connection between the initiator and the target.  If it is true, then to
    reset the old session the target also has to disconnect all the connections
    in the old session, except the connection of the Login Command.
    
    
    ========================================================================
    Q7:
    Page 69: "When a target is detecting an attempt to open a new session by
    the same initiator (same InitiatorName and ISID) it MUST check if the
    old session is active.  If it is not the old-session must be reset by
    the target and the new session established. Otherwise the Login MUST be
    terminated with a Login Response."
    
    What does "reset" exactly mean here?
    
    +++ clean its internal state - remove anything non-persistent data related
    to the old session
    +++
    ============================================================================
    
    
    Thanks,
    
    *********************************
     Trang Nguyen
     tnguyen@perfisans.com
    *********************************
    
    
    -----Original Message-----
    From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
    Julian Satran
    Sent: August 15, 2001 3:29 PM
    To: ips@ece.cmu.edu
    Subject: iSCSI Re: Questions on iSCSI 07
    
    
    
    Comments in text - thanks - Julo
    
    "Lee Xing" <lxing@Crossroads.com>@ece.cmu.edu on 15-08-2001 17:27:17
    
    Please respond to "Lee Xing" <lxing@Crossroads.com>
    
    Sent by:  owner-ips@ece.cmu.edu
    
    
    To:   <ips@ece.cmu.edu>
    cc:
    Subject:  Questions on iSCSI 07
    
    
    
    Hi All,
    
    I have a few questions on iSCSI 07.  I would appreciate it if someone
    could explain them.
    
    Thank you.
    
    
    Lee Xing
    Sr. Software Engineer
    Crossroads Systems, Inc.
    
    ----------------------------------------------
    Q1:
    Page 104: "Operational parameters MAY be negotiated outside (after) the
    login phase."
    Page 157: "Some session specific parameters MUST be carried only on the
    leading connection and cannot be changed after the leading connection
    login..."
    
    If operational parameters are considered as session parameters, then
    should we reword the sentence on page 104, such as "Some operational
    parameters MAY be negotiated outside (after) the login phase."?
    
    
    +++ will fix +++
    ----------------------------------------------
    Q2:
    Page 22: "Any PDU except login and text, which is sent on a TCP
    connection before this connection gets into full feature phase, is a
    protocol error."
    
    Page 169: "To make use of SendTargets, an initiator must first be logged
    in to one of two types of targets."
    
    Since SendTargets is one of the keys for Text Cmds, and we can't issue
    it before logging in, we probably should reword the sentence on page 22.
    
    +++ will read:
    
    Any PDU except login and text, which is sent on a TCP connection before
    this connection gets into full feature phase, is a protocol error. Some
    text command parameters also allowed only in full feature phase (e.g.,
    SendTargets).
    
    ++++
    ----------------------------------------------
    Q3: Page 169: "If it logs in to any other target, the session the
    session can be either a discovery session or a normal operational
    session".  Should we delete one "the session" from this sentence?
    +++
    ??? can't find it
    +++
    ----------------------------------------------
    Q4: Why don't section 1.2.2.1 & 1.2.2.2 address where CmdSN & StatSN
    should start from (0, 1, or whatever) explicitly like DataSN does?
    Should we initialize the counters before start the process?
    +++ third paragraph of 1.2.2.1 says now
    Commands in transit from the initiator to the target layer are numbered by
    iSCSI; the number is carried by the iSCSI PDU as CmdSN
    (Command-Sequence-Number).  The numbering is session-wide and starts with a
    value set by the initiator during the first login of a session (leading
    login).
    
    and 1.2.2.2 gstates:
    
       The first login response includes an initial value for status numbering.
    
     +++
    ----------------------------------------------
    Q5: Page 102: "An operational parameter negotiation on a connection
    SHOULD not start before the security/integrity negotiation if such a
    negotiation exists.  Operational parameters negotiated inadvertently
    before the security/integrity negotiation MAY be reset after the
    security/integrity negotiation at the explicit request of the initiator
    or target."
    
    The question is under which circumstance do we need to negotiate
    operational parameters before security/integrity negotiation?  If it's
    unlikely to happen, why do we leave a potential security hole here?
    +++ this will be clarified in an upcoming writeup
    +++
    ----------------------------------------------
    Q6:
    Page 21: "... ... If an initiator and target are connected through more
    than one session, both the initiator and target perceive the other as a
    different entity on each session (a different I_T nexus in SAM-2
    parlance)."
    
    Page 69: "When a target is detecting an attempt to open a new session by
    the same initiator (same InitiatorName and ISID) it MUST check if the
    old session is active.  If it is not the old-session must be reset by
    the target and the new session established. Otherwise the Login MUST be
    terminated with a Login Response."
    
    The sentence on page 21 tells us multi-sessions between an initiator and
    a target are allowed; while the sentence on page 69 implies they are
    not.  We probably need to clear it a bit.
    +++ No it tells you that the target must check if the old connections are
    still alive.  If they are this attempt is an error. If they are not the
    target has not realized the old session has gone away (e.g. a client
    reboot). I reformulate as:
    
       When a target is detecting an attempt to open a new session by the same
       SCSI initiator port (same InitiatorName and ISID) to the same target
       portal group it MUST check if the old session is still active.  If it is
       not active and the target has failed to realize that the old-session
       must be reset by the target and the new session established. Otherwise
       the Login MUST be terminated with a Login Response of "Session already
       open with this initiator".
       ++++
    
    ----------------------------------------------
    Q7:
    Page 69: "When a target is detecting an attempt to open a new session by
    the same initiator (same InitiatorName and ISID) it MUST check if the
    old session is active.  If it is not the old-session must be reset by
    the target and the new session established. Otherwise the Login MUST be
    terminated with a Login Response."
    
    What does "reset" exactly mean here?
    
    +++ clean its internal state - remove anything non-persistent data related
    to the old session
    +++
    ----------------------------------------------
    Q8: This question is on multi-path.  Suppose two NICs are connected to
    the same target, therefore we could have at least two target addresses
    a1 & a2.  Suppose address a1 needs to be dedicated to a particular
    initiator I1.  Is it OK if we let the target to hide a1 from (i.e. not
    sending a1 with "SendTargets" cmd response to) all initiators except I1,
    or do we need to modify 07 to do so?
    
    The current Standard 07 on page 171 says "If a SendTargets response
    reports an iSCSI address for a target, it SHOULD also report all other
    addresses in its portal group in the same response."
    
    +++ It is OK to hide the NIC. Portal groups are meant for groups of
    physical ports that MAY share state+++
    ----------------------------------------------
    Q9:  This is a performance-related question.
    
    After the first (leading) connection logs into a normal operational
    session, why can't the same initiator have an option to just "spawn"
    more "full featured" connections with the same target without running
    Login handshake processes (i.e. authenticate the parties, negotiate the
    session's parameters, open security associations protocol and make
    connections as belonging to a session) again.  It would be more
    efficient if we could have this option.
    
    It seems feasible because:
    
      - it's not necessary to authenticate both parties
        again after doing so on the first (leading)
        connection.
      - security is still possessed without running
        Login process on the following connections
        because the first (leading) connection has to
        run Login process, and no extra connections
        can be spawned without logging into the first
        one.
      - session parameters, generally, are the same
        for connections within a session.  If not, they
        can be re-negotiated later.
      - All connections within a session belong to
        the same I_T nexus.
      - Text Cmds can be used to "spawn" full-featured
        connections without adding too much stuff into
        iSCSI Standard or making it too complex.
    
    
    +++  I don't understand exactly what you are suggesting here. Every TCP
    connection raises the authentication issue (parties can't be sure that
    simple things like IP addresses are not spoofed. More complicted things
    (shared secrets) could be used and we looked at them in the past and did
    not find that it is worth pursuing them. And different connections may have
    different security requirements (a private line vs. a public line).
    ++++
    
    
    
    


Home

Last updated: Tue Sep 04 01:04:01 2001
6315 messages in chronological order