SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: iSCSI: reusing ISID for recovery



    My major objection is that we make it to easy to err.  Even
    not-malicious/just mistaken code can blow up a session.
    
    Julo
    
    Santosh Rao <santoshr@cup.hp.com>@ece.cmu.edu on 30-08-2001 23:18:01
    
    Please respond to Santosh Rao <santoshr@cup.hp.com>
    
    Sent by:  owner-ips@ece.cmu.edu
    
    
    To:   ips@ece.cmu.edu
    cc:
    Subject:  Re: iSCSI: reusing ISID for recovery
    
    
    
    Venkat Rangan wrote:
    
    >  One aspect from the
    > other thread that may not have been mentioned is the fact that you could
    > have a situation where a rogue software on the initiator running in user
    > mode which simply issues ISID=existing, TSID=0 to the target. (This may
    be
    > what was meant by "wild closing of connections" in this thread.) Choosing
    > option A) would destroy an otherwise well protected ISID managed in the
    > kernel space. This could also occur when you accidentally start another
    > application that does not coordinate its ISID selection.
    
    Another parallel iscsi application running in user space should use a
    different
    iscsi initiator name than the iscsi kernel driver. If it does use the same
    iscsi initiator name, it must co-ordinate its usage of ISID, cmdsn,
    exp_statsn,
    initiator task tag with the kernel iscsi driver.
    
    Failure to do either can and should result in the pre-existing session
    being
    logged out, since this is a coding error in the initiator application.
    However,
    prior to taking any such action, the login request must first be
    authenticated
    to protect against malicious logouts from spurious initiators.
    
    
    > The earlier thread was leaning towards "Reject the second login attempt
    with
    > In-Use error code" but the issue of targets cleaning up inactive and
    failed
    > sessions still lingers on.
    >
    > Some observations:
    >
    > 1. There is no way to protect against rogue software at the intiator;
    even
    > the best IPSec policies and key management can not prevent such software
    > from disturbing other well-behaved components. So trying to design
    > mechanisms to prevent this at the target would be fruitless.
    
    Agreed. That is the philosophy of option (A).
    
    
    >
    > 2. There is some value in protecting an accidental use of an existing
    ISID
    > by a second client (ISID=<existing>, TSID=0). This can be done with a
    Reject
    > of the login attempt, even without verification of login credentials -
    (less
    > of a DOS attack). You also do not need to analyze connection states in
    this
    > case.
    
    A second client should create its own iscsi initiator name or partition the
    (ISID, cmdsn, init task tag) resources into pools that can be shared b/n
    the 2
    clients. Even then, there exist issues in sending exp_statsn values. The
    easiest partition is to use different names for different clients.
    
    If multiple clients on a host do not follow the above precautions, they are
    faulty in their iscsi session resource management and there is little sense
    in
    designing targets to protect against such behaviour.
    
    
    >
    > 3. From the perspective of the Target, case 2) above is no different from
    an
    > initiator rebooting and accidentally choosing an existing ISID with
    TSID=0.
    > To distinguish 2) from 3), we can make use of the Clear bit (or the
    C-bit)
    > and avoid many unnecessary trips at reboot time, trying to probe for an
    > unused ISID. The usage is that if C-bit is present, any previous sessions
    > are also closed by the target. I think this was Option B) in the original
    > email.
    
    There is nothing to prevent multiple concurrent clients from logging in
    with
    "C" bit set, and use the same ISID + 0 TSID.
    
    The simplest approach is for the targets to authenticate the initiators and
    once authentication has passed, to trust the initiator's requests. The
    target
    should not be in the business of second-guessing the initiator's intentions
    by
    testing connections, etc.
    
    The "C" bit is of little or no use, since the initiator does not know
    reliably
    in which cases its usage is required. [It may have lost prior state and has
    no
    knowledge that it had a pre-existing session].  It would end up using this
    bit
    in all logins.
    
    Regards,
    Santosh
    
     - santoshr.vcf
    
    
    
    


Home

Last updated: Tue Sep 04 01:03:49 2001
6315 messages in chronological order