Re: iSCSI: Login Proposal

[Steve Senum <ssenum@cisco.com>]

Hi Stephen,

The current draft (-07) does actually answer your
question, though it is somewhat buried:

On page 22:

        In "list" negotiation, the offering party sends for each key a list 
        of values (which may include "none") in its order of preference. 
         
        The responding party answers with the first value from the list it 
        supports and is allowed to use for the specific initiator. 

And on page 100:

          -The initiator sends a text command with an ordered list of the 
           options it supports for each subject (authentication algorithm, 
           iSCSI parameters and so on). The options are listed in the 
           initiator's order of preference.  

           -The target MUST reply with the first option in the list it 
           supports and is allowed for the specific initiator....

Even so, I don't see the value in:

AuthMethod=none,CHAP

Since every implementation must support "none", "CHAP"
will never get picked.

In the interest of keeping login processing as simple as
possible, I would simply require the initiator to offer
what it can support (if anything).  The target can then
pick a compatiable method, or reject the connection.

Steve Senum

"Wheat, Stephen R" wrote:
> 
> Good questions, Steve.
> 
> Question 2 caused me to ponder the concept of key-value preferences.  I.e.,
> I suspect that the concept in the proposed login spec was to address that
> the initiator may prefer to not have any security digests, but might be able
> to negotiate them if the target insisted.
> 
> I cannot find anywhere in the I-D that states that a recipient MUST consider
> key=v1,v2,v3 as the sender having preference of v1 over v2, and v2 over v3.
> Thus, I second Q2, but only if key values are to be interpreted in
> preferential order.  Thus, an initiator could send
> "DataDigest=none,crc32-c,SPKM", and the target's response MUST honor the
> preference order.
> 
> So, Q4 is: should the values in a key-value list be consider the sender's
> preference order that the receiver must honor?
> 
> Stephen
> 
> -----Original Message-----
> From: Steve Senum [mailto:ssenum@cisco.com]
> Sent: Tuesday, August 21, 2001 1:14 PM
> To: ietf-ips
> Subject: Re: iSCSI: Login Proposal
> 
> Matthew/Marjorie/Bob:
> 
> Some questions on your login proposal:
> 
> 1. Why the following restriction?
> 
>     SecurityContextComplete=yes MUST NOT be present
>     in the login command.
> 
> I don't see the benefit in not allowing something like:
> 
> I: AuthMethod:none
>    HeaderDigest:crc-32c,none
>    DataDigest:crc-32c,none
>    SecurityContextComplete=yes
> T: AuthMethod:none
>    HeaderDigest:crc-32c
>    DataDigest:crc-32c
>    SecurityContextComlete=yes
> 
> 2. In the following:
> 
>     If the login command does not contain security parameters
>     the target MUST perform one of the two actions below:
> 
>     a) If the target requires security negotiation
>        to be performed, then it MUST enter the security
>        phase and MUST send a text response containing
>        one or more security parameters and F=0.
> 
>     b)
> 
> Is this really needed?  Why not simply require the
> initiator to offer security parameters if it supports them?
> I would hope authentication would become the typical case
> for login.
> 
> 3. Is there only one Login Reponse then (just asking)?
> 
> Regards,
> Steve Senum