RE: iSCSI: Login Proposal

To: "'Steve Senum'" <ssenum@cisco.com>, ietf-ips <ips@ece.cmu.edu>
Subject: RE: iSCSI: Login Proposal
From: "BURBRIDGE,MATTHEW (HP-UnitedKingdom,ex2)" <matthew_burbridge@hp.com>
Date: Wed, 22 Aug 2001 08:36:11 +0100
Content-Type: text/plain;charset="ISO-8859-1"
Sender: owner-ips@ece.cmu.edu

Steve,

The reason why it was decided to do this was two fold:

If the initiator does not want to negotiate security then it must not have
any security parameters in the login command.  Therefore
SecurityContextComplete=yes is unnecessary.

If the initiator does want to enter into security as per your example, then
it MUST not send SecurityContextComplete=yes as its security context is not
yet built: Page 101 of 0.7 states that

QUOTE
-Every party in the security negotiation indicates that it has 
           completed building its security context (has all the required 
           information) by sending the key=value pair: 
            
           SecurityContextComplete=yes 
UNQUOTE

My understanding is that its security context is not yet built until it has
received the security parameter replies from (in your example) the
initiator.

Cheers

Matthew

-----Original Message-----
From: Steve Senum [mailto:ssenum@cisco.com]
Sent: Tuesday, August 21, 2001 9:14 PM
To: ietf-ips
Subject: Re: iSCSI: Login Proposal


Matthew/Marjorie/Bob:

Some questions on your login proposal:

1. Why the following restriction?

    SecurityContextComplete=yes MUST NOT be present
    in the login command.

I don't see the benefit in not allowing something like:

I: AuthMethod:none
   HeaderDigest:crc-32c,none
   DataDigest:crc-32c,none
   SecurityContextComplete=yes
T: AuthMethod:none
   HeaderDigest:crc-32c
   DataDigest:crc-32c
   SecurityContextComlete=yes

2. In the following:

    If the login command does not contain security parameters
    the target MUST perform one of the two actions below:

    a) If the target requires security negotiation
       to be performed, then it MUST enter the security
       phase and MUST send a text response containing
       one or more security parameters and F=0.

    b)

Is this really needed?  Why not simply require the
initiator to offer security parameters if it supports them?
I would hope authentication would become the typical case
for login.

3. Is there only one Login Reponse then (just asking)?

Regards,
Steve Senum

Prev by Date: Re: Security in iSCSI
Next by Date: RE: iSCSI: Login Proposal
Prev by thread: RE: iSCSI: Login Proposal
Next by thread: RE: iSCSI: Login Proposal
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:03:57 2001
6315 messages in chronological order