SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI: Login Proposal



    Hi Steve,
    
    I forgot to answer your latter two questions in my earlier email!
    
    Comments within:-
    
    Cheers
    
    Matthew
    
    -----Original Message-----
    From: Steve Senum [mailto:ssenum@cisco.com]
    Sent: Tuesday, August 21, 2001 9:14 PM
    To: ietf-ips
    Subject: Re: iSCSI: Login Proposal
    
    
    Matthew/Marjorie/Bob:
    
    Some questions on your login proposal:
    
    1. Why the following restriction?
    
        SecurityContextComplete=yes MUST NOT be present
        in the login command.
    
    I don't see the benefit in not allowing something like:
    
    I: AuthMethod:none
       HeaderDigest:crc-32c,none
       DataDigest:crc-32c,none
       SecurityContextComplete=yes
    T: AuthMethod:none
       HeaderDigest:crc-32c
       DataDigest:crc-32c
       SecurityContextComlete=yes
    
    2. In the following:
    
        If the login command does not contain security parameters
        the target MUST perform one of the two actions below:
    
        a) If the target requires security negotiation
           to be performed, then it MUST enter the security
           phase and MUST send a text response containing
           one or more security parameters and F=0.
    
        b)
    
    Is this really needed?  Why not simply require the
    initiator to offer security parameters if it supports them?
    I would hope authentication would become the typical case
    for login.
    
    MATTHEW: So I was maintaining flexibility here.  If an initiator prefers not
    to negotiate security then why force it? Also, the login is faster if
    neither side want to negotiate security.  I think the majority of people
    would go for flexibility and provided that the procedure caters for all four
    scenarios of either side wanting/not wanting security then the flexibility
    should be present.  In other words, as long as the flexibility does not
    cause interoperability problems and allows everyone to do what they want to
    do then the flexibility should be there. I agree that the typical case would
    be to include authentication but some people will always want to skip it.
    
    3. Is there only one Login Reponse then (just asking)?
    
    MATTHEW: yes.  In deriving the proposal we came to the conclusion that the
    partial login response is unnecessary so we removed it.  Also, some
    implementers have said that this makes the implementation easier as they
    will always return a text response unless login is completed (successfully
    or otherwise).
    
    Regards,
    Steve Senum
    


Home

Last updated: Tue Sep 04 01:03:57 2001
6315 messages in chronological order