SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI: Login Proposal



    Steve,
    
    The reason why it was decided to do this was two fold:
    
    If the initiator does not want to negotiate security then it must not have
    any security parameters in the login command.  Therefore
    SecurityContextComplete=yes is unnecessary.
    
    If the initiator does want to enter into security as per your example, then
    it MUST not send SecurityContextComplete=yes as its security context is not
    yet built: Page 101 of 0.7 states that
    
    QUOTE
    -Every party in the security negotiation indicates that it has 
               completed building its security context (has all the required 
               information) by sending the key=value pair: 
                
               SecurityContextComplete=yes 
    UNQUOTE
    
    My understanding is that its security context is not yet built until it has
    received the security parameter replies from (in your example) the
    initiator.
    
    Cheers
    
    Matthew
    
    -----Original Message-----
    From: Steve Senum [mailto:ssenum@cisco.com]
    Sent: Tuesday, August 21, 2001 9:14 PM
    To: ietf-ips
    Subject: Re: iSCSI: Login Proposal
    
    
    Matthew/Marjorie/Bob:
    
    Some questions on your login proposal:
    
    1. Why the following restriction?
    
        SecurityContextComplete=yes MUST NOT be present
        in the login command.
    
    I don't see the benefit in not allowing something like:
    
    I: AuthMethod:none
       HeaderDigest:crc-32c,none
       DataDigest:crc-32c,none
       SecurityContextComplete=yes
    T: AuthMethod:none
       HeaderDigest:crc-32c
       DataDigest:crc-32c
       SecurityContextComlete=yes
    
    2. In the following:
    
        If the login command does not contain security parameters
        the target MUST perform one of the two actions below:
    
        a) If the target requires security negotiation
           to be performed, then it MUST enter the security
           phase and MUST send a text response containing
           one or more security parameters and F=0.
    
        b)
    
    Is this really needed?  Why not simply require the
    initiator to offer security parameters if it supports them?
    I would hope authentication would become the typical case
    for login.
    
    3. Is there only one Login Reponse then (just asking)?
    
    Regards,
    Steve Senum
    


Home

Last updated: Tue Sep 04 01:03:57 2001
6315 messages in chronological order