SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI: Option Preference (was Login Proposal)



    Agreed, I've already disagreed with myself in a subsequent email :-)  Good
    point regarding mutual authentication, the possibilities for malicious
    behavior are miriad (masquerading as a target to intercept your precious
    data).
    
    Marj
    
    > -----Original Message-----
    > From: Julian Satran [mailto:Julian_Satran@il.ibm.com]
    > Sent: Wednesday, August 22, 2001 11:50 PM
    > To: ips@ece.cmu.edu
    > Subject: RE: iSCSI: Option Preference (was Login Proposal)
    > 
    > 
    > 
    > Marjorie,
    > 
    > If you'll take the time and go through all the scenarios (I 
    > know that your
    > time is precious :-))
    > you'll find that the order of "exposing" preferences in a 
    > negotiation does
    > not matter if the negotiation is symmetric (and it is).
    > As we are bound to a certain order of things by the main 
    > function (command
    > processing) we start all exchanges at initiator.
    > Having the initiator send an empty request only because you 
    > think that in
    > most cases the target dictates authentication
    > seems a vaste of bits (and time) - contrary to your 
    > assertion. This is why
    > we never gave any example involving it.
    > But it is certainly a legal sequence in the current draft.  To force
    > everybody to use it - BAD IDEA.
    > I assume that as storage gets more decoupled from systems the need for
    > mutual authentication will increase (why would you believe that
    > the volume given to you over the net is where you wrote your 
    > precious data
    > last time?).
    > 
    > Julo
    > 
    > 
    > 
    > "KRUEGER,MARJORIE (HP-Roseville,ex1)" 
    > <marjorie_krueger@hp.com>@ece.cmu.edu
    > on 23-08-2001 02:08:30
    > 
    > Please respond to "KRUEGER,MARJORIE (HP-Roseville,ex1)"
    >       <marjorie_krueger@hp.com>
    > 
    > Sent by:  owner-ips@ece.cmu.edu
    > 
    > 
    > To:   ietf-ips <ips@ece.cmu.edu>
    > cc:
    > Subject:  RE: iSCSI: Option Preference (was Login Proposal)
    > 
    > 
    > 
    > That really makes the most sense to me.  IMO, having the initiator
    > "request"
    > authmethods is kind of a waste of bits.  The model I have in 
    > mind is that a
    > target basicly has one AuthMethod and all initiators that 
    > want to access it
    > either MUST use that AuthMethod (external "storage service 
    > provider" model)
    > or may either use that AuthMethod or none.  I'm having a hard time
    > imagining
    > poor little targets implementing multiple authMethods in the 
    > same box and
    > actually allowing initiators with different authMethods to access it
    > simultaneously.  In any case, seems like there's little value 
    > in having the
    > initiator offer a list of AuthMethods.  Makes more sense for 
    > the initiator
    > to request login, and the target to return the required 
    > AuthMethod.  If the
    > initiator can't handle it, it terminates the exchange.  That's my
    > understanding of how client-server auth relationships usually work.
    > Actually, typically the client is simply expected to know the required
    > AuthMethod (thru configuration) and begins the exchange by requesting
    > authorization.
    > 
    > Marj
    > 
    > > -----Original Message-----
    > > From: Steve Senum [mailto:ssenum@cisco.com]
    > > Sent: Wednesday, August 22, 2001 3:24 PM
    > > To: ietf-ips
    > > Subject: Re: iSCSI: Option Preference (was Login Proposal)
    > >
    > >
    > > Not to try to beat this into the ground anymore
    > > then already has been done, but...
    > >
    > > Many months ago, when I first looked over
    > > the iSCSI spec, I remember thinking it was
    > > kind of odd for the side being authenticated
    > > to control the possible options.  Other
    > > protocols I have worked with would have the
    > > side driving the authentication (i.e., the Target)
    > > control this.
    > >
    > > If the IPS group wants to stay with the
    > > current target-really-controls-authentication
    > > notion, we might want to go a step further,
    > > and allow only the Target to send the AuthMethod
    > > key out.
    > >
    > > Just a thought,
    > > Steve Senum
    > >
    > >
    > 
    > 
    > 
    


Home

Last updated: Tue Sep 04 01:03:55 2001
6315 messages in chronological order