Re: ISCSI: User authentication vs. Machine Authentication for iSC SI

To: Stephen Bailey <steph@cs.uchicago.edu>
Subject: Re: ISCSI: User authentication vs. Machine Authentication for iSC SI
From: Mark Bakke <mbakke@cisco.com>
Date: Thu, 30 Aug 2001 15:07:35 -0500
CC: ips@ece.cmu.edu, John Hufferd <hufferd@us.ibm.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <OF761F95F7.844FE06F-ON88256AB8.00574D6B@boulder.ibm.com> <20010830191403.A0DE24E95@sandmail.sandburst.com>
Sender: owner-ips@ece.cmu.edu

Stephen Bailey wrote:
> 
> > The new Name (UserID) is exactly what was implied at the meeting in
> > Irvine.
> 
> Oh.  How horrible.

Ideally, you're right.  For instance, if iSCSI was using AuthMethod=CHAP,
then it would be great if the CHAP username (N) specified was identical
to the InitiatorName.

In the draft, that's not how it is.  The user names for CHAP and SRP
(I'm not sure about the others) are specified separately from the
InitiatorName, so there's currently nothing in the protocol to prevent
them from being different.

In practise, there might be times when having them be different
makes the "fit in" better with whatever administration scheme is
out there.  For instance, if my desktop was assigned some iSCSI
storage, and my username and password were kept on a RADIUS server
somewhere, for use by file servers, web servers, and iSCSI servers
or devices, my user name is likely to be a non-globally-unique
string, probably "mbakke".  However, that's not likely to be
my InitiatorName.  To make them the same, I would either have to
change my InitiatorName on my desktop to "mbakke", to fit in with
my login on all of our web and file servers, or the admin would
have to create a new login for my iSCSI stuff on the RADIUS server,
and maintain two of them.  Changing my login on everything to
match an iSCSI name is likely not an option.

Another possible place this could happen is if I am obtaining
iSCSI "services" from more than one administratively-separate
environment.  Each of these environments may prefer to assign
me a user name for login that matches their own internal scheme.
I may have some control over this, but in the end, it has to be
unique within the service-provider's scheme.  This is very
similar to setting up a user-name for your ISP at home; you
may request a particular name, but if the ISP already has one,
you have to pick again.

The point is that if one had two of these environments providing
services, they may each need a separate user name.

Of course, the latter example could be solved by having the
admins accept the initiator name that's already on my iSCSI
client as the user name; these are supposed to be unique
anyway.  The only trouble then is the same as before; if I am
getting more than just iSCSI services from this provider, they
would then have to maintain two user names for me.

A third reason this might happen is that some centralized
password authenticated services such as RADIUS may have
length restrictions on their user names that are shorter than
what is allowed in an iSCSI initiator name.

Anyway, implementations have the most flexibility the way
these protocols (SRP, CHAP) are currently documented.  I think
that we could recommend that the iSCSI initiator name be the
same wherever possible, but I don't see how we can require it.

> 
> > A number of us, I am sure, think this is a very poor direction for an
> > implementation.
> 
> Agreed.  I just wanted to walk the space a little bit.  My point is
> that while traditional SCSI passthru does confer control privs (and is
> protected as such), it doesn't need to.  Specifically, a client using
> SCSI passthru is not actually given the identity of the host OS, per
> se.
> 
> > So I believe we must consider such a potential application as
> > probably a rouge application and do nothing to help this, and work
> > to prevent it.
> 
> I understand what you're saying, but I'm not sure it confers much
> architectural direction.  There already must be a concept of identity
> which is independent of anything bound to a particular system (e.g. IP
> address, hardware network port etc.), so there's no way to exclude
> that.
> 
> > The important issue is, can we make the iSCSI Initiator Node Name be
> > used as the UserID.

Again, I think that the best we can do is recommend that they
be the same, but I don't think we can take the step of requiring
it.

> Agreed.  Are there minutes to the meeting?
> 
> Thanks,
>   Steph

-- 
Mark A. Bakke
Cisco Systems
mbakke@cisco.com
763.398.1054

Follow-Ups:
- Re: ISCSI: User authentication vs. Machine Authentication for iSC SI
  - From: Stephen Bailey <steph@cs.uchicago.edu>

References:
- Re: ISCSI: User authentication vs. Machine Authentication for iSC SI
  - From: "John Hufferd" <hufferd@us.ibm.com>
- Re: ISCSI: User authentication vs. Machine Authentication for iSC SI
  - From: Stephen Bailey <steph@cs.uchicago.edu>

Prev by Date: Re: iSCSI: reusing ISID for recovery
Next by Date: RE: iSCSI - Change - Login/Text commands with the binary stage code
Prev by thread: Re: ISCSI: User authentication vs. Machine Authentication for iSC SI
Next by thread: Re: ISCSI: User authentication vs. Machine Authentication for iSC SI
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:03:50 2001
6315 messages in chronological order