Re: iSCSI - Change - Login/Text commands with the binary stage code

To: ips@ece.cmu.edu
Subject: Re: iSCSI - Change - Login/Text commands with the binary stage code
From: Sandeep Joshi <sandeepj@research.bell-labs.com>
Date: Thu, 30 Aug 2001 12:11:53 -0400
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <LOEPJENHBHAHEABBNDAJCEDHCDAA.aghanem@cisco.com>
Sender: owner-ips@ece.cmu.edu


Julian,

> > As for the names - I though that security people might object having the
> > name in clear if the security phase does not make use of the name.
> > Otherwise we can mandate them on the login but I wonder if that is a real
> > improvement or we are getting carelles.
> >
> > Julo

The problem with these names (and hence the request from Steve and
others 
earlier) is that it is not possible to know when the target wants them. 

Consider the following excerpts from your latest login proposal..

> A target MAY use the iSCSI Initiator Name as part of its access control
> mechanism; therefore, the iSCSI Initiator Name MUST be sent before the
> target is required to disclose its LUs.

The above is _very_ confusing..how can the initiator know if the
 the target is doing access control ?

> If the iSCSI Target Name and/or iSCSI Initiator Name is going to be used
> in determining the security mode or it is implicit part of
> authentication, then the iSCSI Target Name and/or iSCSI Initiator Name
> MUST be sent in the login command for the first connection of a session
> to identify the storage endpoint of the session

In both the above cases, how does the initiator know when the target
requires these names?  The partial login response occurs *only* once.
So when going from the security->operational phase, there is no
indication that the target would like these names sent.

There are 3 options here :
(A) ALways send the names in the login command.  Simplify target
   and initiator and eliminate a few of those partial login 
   response codes.
(B) Maintain a configuration database (per-target) of when names
   must be sent - adds an administration burden.  
(C) Change the wire protocol to allow the target to indicate when
   the names must be sent - again more complications. 

To round up, I prefer Option (A).  These are just names and not
passwords, so the security risks are minimal.  Are we trying to 
protect against traffic analysis ?

-Sandeep

> >
> > Steve Senum <ssenum@cisco.com>@ece.cmu.edu on 29-08-2001 23:59:36
> >
> > Please respond to Steve Senum <ssenum@cisco.com>
> >
> > Sent by:  owner-ips@ece.cmu.edu
> >
> >
> > To:   ietf-ips <ips@ece.cmu.edu>
> > cc:
> > Subject:  Re: iSCSI - Change - Login/Text commands with the binary stage
> >       code
> >
> >
> >
> > Julian,
> >
> > A couple of ideas from Matthew Burbridge & Co.'s
> > login proposal that has generated some interest here:
> >
> > 1. Removal of partial login response.  Is it still needed?
> >
> > 2. Requiring Initiator and (if not a discovery session)
> >    Target names on login command, so they are always
> >    available if needed by the initial phase.
> >
> > Comments?
> >
> > Regards,
> > Steve Senum
> >
> >
> >
> >

References:
- RE: iSCSI - Change - Login/Text commands with the binary stage code
  - From: "Ayman Ghanem" <aghanem@cisco.com>

Prev by Date: Re: iSCSI - Change - Login/Text commands with the binary stage code- IMPORTANT PROPOSAL
Next by Date: RE: ISCSI: Required Crytographic transforms for iSCSI
Prev by thread: RE: iSCSI - Change - Login/Text commands with the binary stage code
Next by thread: Re: iSCSI - Change - Login/Text commands with the binary stage code
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:03:50 2001
6315 messages in chronological order