SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: ISCSI: User authentication vs. Machine Authentication for iSCSI



    
    Bill,
    You are correct, in my opinion, on the problem statement, but not  on the
    solution.
    
    The IKE stuff will Get a system identified, and perhaps ensure that a
    encrypted connection is put in place.  This then give the Source and Target
    the Freedom to exchange stuff that would otherwise be in the clear, such as
    iSCSI Node Names etc.  But after the iSCSI session is established, it is
    between an OS and a target.  The OS, is the thing that actually owns the
    resource, it only loans the resources, in some manor, to applications.
    
    I was having a similar problem to what you stated, at the Irvine meeting,
    and kept digging and objecting (off-stage) until I got the following more
    acceptable response.
    
    Environment 1: (Use of IKE with complete Certificates processing ( or
    pre-Shared password), with ESP equal to something other then Null)
    1. We use IKE to get a mutually authenticated and Encrypted communication
    link.  This means that the Target knows that (at the IKE/TCP Layer) there
    is, at the other end, an authorized thing.  (What or who that thing is,
    relative to iSCSI is not really known).  This secure link can be
    established either via Certificates or via a pre-Shared password.
    2. An iSCSI Login can now be done, over a secure link, so the iSCSI
    Initiator Name, and iSCSI Target Name etc can be exchanged securely.
    Please note, just because you passed the IKE certificate gate does not mean
    you are the iSCSI Initiator that you claim to be.  Therefore, a password,
    for example, that is associated with the iSCSI Initiator Name can now be
    used to perform an iSCSI validation of the Initiator.  (Please note, this
    could, instead of a password,  be a Kerberos type Validation etc.)
    3. David, and perhaps other used the words "User" or "Application" name to
    address what was being addressed in 2 above.  But there was more to this
    then just assuming that the iSCSI Initiator Name was the User name.  Since
    folks may actually want to use existing infrastructure, to handle the
    password management and authentication process, they will need to assign
    what I might call an "Alias for the iSCSI Initiator" which can actually be
    saved in the existing infrastructure user authentication repository.  The
    point that was made to me, is that iSCSI Initiator Name (iqn, or eui) will
    not "fit" into things that contain "User Names" so we need to have a
    corresponding "User Name" that we can actually authenticate using, for
    example Microsoft Active Directory etc. Hence the need for a "Alias for the
    iSCSI initiator.  (I really hate this, and wish there was something else we
    could do.)
    
    Environment 2: (Use of IKE with Asymmetrical authentication,  and ESP equal
    to something other then Null.  This example was pushed by Mark Bakke.)
    1. We use IKE to get a mutually authenticated Encrypted communication link,
    but this is done by giving the Initiators a "Dummy" (self signed?)
    Certificate and that this is used to permit the Initiator side to assure
    that it is talking to the correct target but gives no such assurance to the
    Target that it is talking to an approprate Initiator.  However, it does
    setup a secure (encrypted) connection.  (Note: a similar thing can be done
    with pre-shared Keys, where the Initiator systems are all given the same
    pre-shared password.)
    2. The iSCSI Login can now occur, as in Environment-1 above.  In this mode
    the only time the Initiator has any real authentication, by the target is
    in this iSCSI stage.
    Note: Mark pointed out that this was the way Web servers worked.
    3. Chap can  be used in this environment since the Link is already secure
    and encrypted, and sending the password in what otherwise would have been
    in the clear, is protected by the link encryption.
    
    Environment 3: (no use of IKE)
    1. No authenticated private Link is established via IKE, so -- in many
    environments, a Chap type solution is just not secure enough, therefore the
    recommendation will be to use SRP, since that will add some hashing etc. to
    protect the password.
    
    The problem I have with all the above, is that their needs to  be some
    method that the target can use ensure that the "USERNAME" that has the
    password associated with it, is actually the approprate iSCSI Initiator
    NAME.
    
    If we do not ensure, at the target, that the "USERNAME" is THE username to
    be associated with the iSCSI Target Name, then all the IKE and CHAP or SRP
    stuff does is permits us to know that the initiator side is one of some set
    of systems that are authorized to contact the physical Device know as the
    iSCSI Target Node.  Now remember there could be more then one iSCSI Target
    Names (SCSI Target) within the same iSCSI Target Node.  It is even possible
    that the different SCSI Targets may want to have different LUNs attached to
    each of them.  Further, I expect that many of us wanted to associate
    certain LUNs with certain iSCSI Initiators, as we do today with Fibre
    Channel.  However, if we do that, then we must have a hard lock between
    "username" (aka "Alias for the iSCSI initiator") and iSCSI Initiator Name.
    
    It is not clear that we have thought through all the ramifications of this
    dependance on "USERIDs/USERNAMEs" (aka "Alias for the iSCSI initiator").
    Did any of us understand that we needed a binding association database, on
    the targets, to keep associations between iSCSI Initiator Names and
    "USERIDs/USERNAMEs"?  If so, I bet there were not many.
    
    I would like to know if their is a better approach to what I call the
    second stage authentication, without requiring yet another name for the
    iSCSI Initiator Node.
    
    
    
    .
    .
    .
    John L. Hufferd
    Senior Technical Staff Member (STSM)
    IBM/SSG San Jose Ca
    Main Office (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
    Home Office (408) 997-6136
    Internet address: hufferd@us.ibm.com
    
    
    "Bill Strahm" <bill@sanera.net>@ece.cmu.edu on 08/29/2001 08:40:54 AM
    
    Sent by:  owner-ips@ece.cmu.edu
    
    
    To:   "Ips@Ece. Cmu. Edu" <ips@ece.cmu.edu>
    cc:
    Subject:  ISCSI: User authentication vs. Machine Authentication for iSCSI
    
    
    
    I have been fighting with this problem since I left LA.
    
    I am not aware of any usage scenarios today where block devices are owned
    by
    the user rather than the machine.  I will conceed that in many instances
    the
    first thing the system does is assign the resource to a use (tape, scanner,
    etc.) but the machine still owns the resource and can in fact remove it out
    from under the user...
    
    I am not to certain how I could build a trusted iSCSI environment where one
    user would have no knowledge about what was happening with other users in a
    malicious environment (especially where a system was participating in the
    exposure of resourses).  Examples of this include things like co-located
    Web
    hosting where a single user scans process memory looking for 1Kbit of
    random
    data, and when finding it attempts to determine if that is the private key
    of a user sharing the resource.
    
    The reason I am bringing this up, is I am not sure trying to define
    security
    above the machine level makes any sense for iSCSI.  Aren't most SCSI
    devices
    owned by the Operating System not the User and partitioned out by the
    Operating System to the users ?  If this is the case many of our
    authentication methods simplify to simple IKE identities.
    
    Bill
    
    
    
    
    


Home

Last updated: Tue Sep 04 01:03:51 2001
6315 messages in chronological order