SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI: reusing ISID for recovery



    Jim,
    
    Option A is clearly unacceptable as an initiator may do harm.
    Recovery is not done by the target neither in B nor in C.
    
    In B an initiator has to add a bit (he may be tempted to put it in as "my
    code is safe" while in C
    it requires the initiator to logout first before he can reinitiate the
    session.
    
    B is an optimization over C - and quite dangerous.
    
    Julo
    
    
    Jim Hafner/Almaden/IBM@IBMUS@ece.cmu.edu on 27-08-2001 19:22:12
    
    Please respond to Jim Hafner/Almaden/IBM@IBMUS
    
    Sent by:  owner-ips@ece.cmu.edu
    
    
    To:   ips@ece.cmu.edu
    cc:
    Subject:  RE: iSCSI: reusing ISID for recovery
    
    
    
    
    Julo,
    
    Here's the way I look at it.  I think this is an "error detection/recovery"
    issue.
    
    With a rule that the ISID doesn't get reused by an initiator to a given
    target portal group,  it's the obligation of the initiator not to do it.
    If  the initiator does it anyway, then it is acting in protocol error and
    it is the job of the target to enforce that rule.   If the initiator still
    does it anyway, it's probably because it has "lost its way", then it is in
    error state (but how does it know this?).  I prefer option B. The target
    enforces the protocol rule only.  An unexpected reject is the "error
    detection" mechanism for the intiator.  The "forced" login is part of the
    error recovery, as driven by the initiator which is doing the error
    recovery.
    
    I see option A as a simpler mechanim that makes the "explicit" error
    recovery request by the initiator an "implicit" request with no direct
    detection mechanism on the initiator side.   I'd go with this choice if it
    is decided that the only time we'd expect an initiator to make this request
    is after a reboot or other massive reset, where it wouldn't have clue about
    it's previous state.  If there are cases where we think it won't "do the
    right thing" when it could, then I would say that option B as a safer
    mechanism.
    
    In short, it gets the target out of doing error recovery on behalf of the
    initiator without explicit (option B) or implicit (Option A) direction.
    It's not in the business of "guessing" if the initiator needs recovery.
    
    Jim Hafner
    
    
    Julian Satran/Haifa/IBM@IBMIL@ece.cmu.edu on 08/27/2001 07:50:09 am
    
    Sent by:  owner-ips@ece.cmu.edu
    
    
    To:   ips@ece.cmu.edu
    cc:
    Subject:  RE: iSCSI: reusing ISID for recovery
    
    
    
    
    Jim,
    
    It would be interesting to hear your arguments. The functions is clearly
    there - only that an initiator has to perform two steps
    Why is it important (except for boot) that a living initiator do it in one
    step.
    
    Regards,
    Julo
    
    Jim Hafner/Almaden/IBM@IBMUS@ece.cmu.edu on 27-08-2001 17:16:33
    
    Please respond to Jim Hafner/Almaden/IBM@IBMUS
    
    Sent by:  owner-ips@ece.cmu.edu
    
    
    To:   ips@ece.cmu.edu
    cc:
    Subject:  RE: iSCSI: reusing ISID for recovery
    
    
    
    
    Julo,
    You wrote:
      And I would like to remind you all that we where on this exact thread
    more
      tan 3 months ago (other players).
      I just restated the rationale for an (apparent) newcomer.
    
    On the other hand, I don't recall this issue ever being called for
    concensus.  Opinions were posted and nothing followed up.
    
    I happen to agree with Marjorie.
    
    Jim Hafner
    
    
    Julian Satran/Haifa/IBM@IBMIL@ece.cmu.edu on 08/25/2001 12:22:33 AM
    
    Sent by:  owner-ips@ece.cmu.edu
    
    
    To:   ips@ece.cmu.edu
    cc:
    Subject:  RE: iSCSI: reusing ISID for recovery
    
    
    
    
    It may be another OS running on the same machine or CPU complex or it could
    be an attack.
    In any case if the initiator is up and fine he can as well do logout.
    It is a rare enough event for us not to try to optimize.
    
    The reboot is the only case in which the initiator can't logout and about
    which we care.
    
    And I would like to remind you all that we where on this exact thread more
    tan 3 months ago (other players).
    I just restated the rationale for an (apparent) newcomer.
    
    Julo
    
    "KRUEGER,MARJORIE (HP-Roseville,ex1)" <marjorie_krueger@hp.com>@ece.cmu.edu
    on 25-08-2001 03:51:43
    
    Please respond to "KRUEGER,MARJORIE (HP-Roseville,ex1)"
          <marjorie_krueger@hp.com>
    
    Sent by:  owner-ips@ece.cmu.edu
    
    
    To:   ips@ece.cmu.edu
    cc:
    Subject:  RE: iSCSI: reusing ISID for recovery
    
    
    
    I don't see how Option A is prone to "wild closing of sessions".  The
    target
    is only looking for sessions with this particular initiator and closing
    them
    if the ISID matches.
    
    If an initiator doesn't have a valid TSID (login w/TSID=0), it means it has
    lost state entirely (reboot) or knows it wants to immediately reset a
    session (NIC failure).  How could there possibly be a case where the
    initiator has an active valid session with the same ISID, but just doesn't
    know about it??  Rejecting the login seems pointless, since obviously the
    initiator either has a bug or intends to quickly reset the session.
    
    The behavior chosen (Option C) will cause the initiator's recovery to be
    delayed while the target NOPs all the connections and waits for them to
    time
    out - this will only delay the initiators recovery unnecessarily.  I can't
    help but think this will cause long term problems for the protocol.
    
    Marjorie Krueger
    Networked Storage Architecture
    Networked Storage Solutions Org.
    Hewlett-Packard
    tel: +1 916 785 2656
    fax: +1 916 785 0391
    email: marjorie_krueger@hp.com
    
    > -----Original Message-----
    > From: Julian Satran [mailto:Julian_Satran@il.ibm.com]
    > Sent: Thursday, August 23, 2001 9:39 PM
    > To: ips@ece.cmu.edu
    > Subject: Re: iSCSI: reusing ISID for recovery (Was: RE: iSCSI
    > - Change -
    > Login/Text...)
    >
    >
    >
    > Mallikarjun,
    >
    > On  your point 1 that is what is stated today in the draft.
    >
    > On your point 2 option C is the one we took in the draft, after some
    > debate.
    >
    > Option A is prone to "wild closing of sessions" and option B is also
    > relaying to much on the good behaviour of the
    > client. It also introduces a "feature" that complicates login/logout.
    >
    > Our postion on this is  that the initiator should logout the session
    > explicitly if it can (and in this case it can as the target
    > has ascertained
    > that the session is alive).
    >
    > I agree that you may want to update the stayte diagram to
    > reflect this.
    >
    > Julo
    >
    >
    > "Mallikarjun C." <cbm@rose.hp.com>@ece.cmu.edu on 24-08-2001 01:46:40
    >
    > Please respond to cbm@rose.hp.com
    >
    > Sent by:  owner-ips@ece.cmu.edu
    >
    >
    > To:   ips@ece.cmu.edu
    > cc:
    > Subject:  iSCSI: reusing ISID for recovery (Was: RE: iSCSI - Change -
    >       Login/Text...)
    >
    >
    >
    > Julian and all:
    >
    > This thread mirrors another discussion some of us are
    > having in a different forum.  Following (two bullets 1
    > & 2 below) is what I proposed there, attempting to address
    > two issues -
    >      a) how to recover sessions when target and the initiator
    >            have conflicting views of the same TCP connection(s)?
    >            (Initiator NIC fails, but there's no I/O activity,
    >            and the target doesn't see any connection failure.)
    >      b) More specifically, how to address the above problem
    >            when the initiator *does not want* to re-instate failed
    >            connections since it only implements the mandatory
    >            session recovery?
    >
    > This could add clarity or muddle things up here, though hopefully
    > the former...
    >
    > 1 If login is sent with the same ISID, same TSID, same CID and X-bit,
    >   then it means a failed connection is being re-instated (whether
    >   or not there are multiple connections in the session).  This login
    >   attempt must be done before the connection timeout (transition M1),
    >   or if this is the only connection in the session, also before the
    >   session timeout (transition N6) - to be counted as a connection
    >   reinstatement effort.
    >            o CmdSN counters (CmdSN, ExpCmdSN) are continued.
    > Initiator
    >              must do command plugging when there's a mismatch
    >              between its CmdSN and ExpCmdSN in the login response.
    >            o Since this is an implicit connection logout, all
    > the active
    >              tasks on the connection are either internally terminated,
    >              or made non-allegiant (based on ErrorRecoveryLevel=x/y,
    >              TBD) for recovery.
    >
    > 2 If login is sent with the same ISID and TSID=0, the session (if it
    >   exists on the target) is being cleared and any active connections
    >   that the target sees must be immediately (at the end of the login
    >   process including any initiator authentication) transport reset.
    >   Initiator may attempt this only after it ascertains a
    > session failure
    >   on its end (ie. all connections entered RECOVERY_START).
    >            o CmdSN counters get reset.  Initiator has to perform the
    >              currently defined session recovery actions.
    >            o All active tasks of the session are internally
    > terminated.
    >
    >
    > Essentially, I was proposing extending the same notion of "implicit
    > logout" of a connection to the session level.  The options that I
    > see are -
    >
    >        A) Should iSCSI let it happen by default as stated above (ie.
    >           same ISID, TSID=0 always wipes out the pre-existing session
    >           on target, since we are mandating it to be used only when
    >           initiator sees a session failure)?
    >        B) Should iSCSI mandate making this intended cleanup explicit
    >           by setting a bit (Say C-bit, for Clear) in the Login Command
    >           PDU to prevent an accidental session cleanup with a buggy
    >           initiator code?
    >        C) Should iSCSI merely state that targets must ascertain
    >           the connection state(s) whenever a new session creation
    >           attempt is made with a known ISID and TSID=0?  (sort of
    >           defeats the intention of the initiator wanting quicker
    >           session recovery since the Login command PDU would have
    >           to idle till target ascertains the connection state(s)).
    >
    > I prefer A, or B.
    >
    > Going with A or B means that the description of transition N3
    > in the session state diagram would have to change to:
    >      Last LOGGED_IN connection had ceased to be LOGGED_IN,
    >         or a Login Command requesting clearing the session (also
    >         with C-bit set, if option B) was received by the target.
    >
    > The transition N7's description would have to be augmented as
    > well to:
    >         Session recovery attempt with an implicit logout,
    >         or connection reinstatement/new CID addition.
    >
    > Comments?
    > --
    > Mallikarjun
    >
    >
    > Mallikarjun Chadalapaka
    > Networked Storage Architecture
    > Network Storage Solutions Organization
    > MS 5668   Hewlett-Packard, Roseville.
    > cbm@rose.hp.com
    >
    >
    > >Stephen,
    > >
    > >That can happen as the target may set-up completely new TCP
    > connections
    > >(the old sockets are still there and look OK).
    > >Untill the login is  progessing he assumes that this is just another
    > >open-session attempt. Then he checks the old session and the
    > session is
    > >dead (initiator has closed the connections).
    > >
    > >The target has to distinguish only between a session that is
    > alive (and
    > >reject the new one) and one that its dead in which case it
    > can clean-up.
    > >
    > >Julo
    > >
    > >"Wheat, Stephen R" <stephen.r.wheat@intel.com> on 23-08-2001 22:50:56
    > >
    > >Please respond to "Wheat, Stephen R" <stephen.r.wheat@intel.com>
    > >
    > >To:   Julian Satran/Haifa/IBM@IBMIL, ips@ece.cmu.edu
    > >cc:
    > >Subject:  RE: iSCSI - Change - Login/Text commands with the
    > binary stage
    > co
    > >          de
    > >
    > >
    > >
    > >Julian,
    > >
    > >I don't understand your answer.  For the scenario given, I
    > would presume
    > >then that the target would reject the new session attempt,
    > as it sees the
    > >previous session still "alive".  What is there to tell the
    > target that
    > this
    > >is any different from when the Initiator is erroneously using the
    > >repetitive
    > >session id?
    > >
    > >Thanks,
    > >Stephen
    > >
    > >-----Original Message-----
    > >From: Julian Satran [mailto:Julian_Satran@il.ibm.com]
    > >Sent: Thursday, August 23, 2001 11:15 AM
    > >To: ips@ece.cmu.edu
    > >Subject: Re: iSCSI - Change - Login/Text commands with the
    > binary stage
    > >co de
    > >
    > >
    > >Stephen,
    > >
    > >1.If the initiator goes away for a while and reboots and there was no
    > >activity on the connections
    > >the target may see a session alive (I am not sure that it
    > has to appear on
    > >the state diagram but maybe).
    > >
    > >2.Again - I am not sure that the curent state diagram
    > includes death of
    > the
    > >initiator
    > >
    > >Julo
    > >
    > >"Wheat, Stephen R" <stephen.r.wheat@intel.com>@ece.cmu.edu
    > on 23-08-2001
    > >19:58:34
    > >
    > >Please respond to "Wheat, Stephen R" <stephen.r.wheat@intel.com>
    > >
    > >Sent by:  owner-ips@ece.cmu.edu
    > >
    > >
    > >To:   ips@ece.cmu.edu
    > >cc:
    > >Subject:  Re: iSCSI - Change - Login/Text commands with the
    > binary stage
    > co
    > >      de
    > >
    > >
    > >
    > >Julian,
    > >
    > >1.3.6 ISID states that the target should check to see if the
    > old session
    > is
    > >still active when a duplicate session is detected.
    > >
    > >I have two questions, the second only if you answer in the
    > affirmative on
    > >the first ;^)
    > >
    > >1. Is there a properly executed sequence of events (i.e., no
    > coding error
    > >on
    > >the target side) where the session is not active, but the
    > target hadn't
    > >taken notice of it?  It appears this as a protocol-specified
    > means to work
    > >around a flaw in a target's implementation.  I interpret the
    > state diagram
    > >transitions as being atomic wrt other commands.  I.e., the
    > last logout
    > >would
    > >result in the various transitions of the connection/session
    > prior to the
    > >initiator starting the session up again.  And the target would have
    > >completed the transitions prior to handling a new session request.
    > >
    > >2. If you answered (1) in the affirmative, then the word
    > "Active" is not
    > >consistent with the 6.3 Session State Diagram.  Does this
    > mean the target
    > >got lost, due to transport failures of any sort, in its
    > transition from
    > >Q3-to-Q2-to-Q1?  It sounds like the intent is to close the
    > old session if
    > >the session was in Q2 or Q4, presuming if it were in Q1,  it
    > would not
    > have
    > >been found as a duplicate.
    > >
    > >Stephen
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    >
    >
    >
    >
    >
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    


Home

Last updated: Tue Sep 04 01:03:53 2001
6315 messages in chronological order