|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: reusing ISID for recoveryMy major objection is that we make it to easy to err. Even not-malicious/just mistaken code can blow up a session. Julo Santosh Rao <santoshr@cup.hp.com>@ece.cmu.edu on 30-08-2001 23:18:01 Please respond to Santosh Rao <santoshr@cup.hp.com> Sent by: owner-ips@ece.cmu.edu To: ips@ece.cmu.edu cc: Subject: Re: iSCSI: reusing ISID for recovery Venkat Rangan wrote: > One aspect from the > other thread that may not have been mentioned is the fact that you could > have a situation where a rogue software on the initiator running in user > mode which simply issues ISID=existing, TSID=0 to the target. (This may be > what was meant by "wild closing of connections" in this thread.) Choosing > option A) would destroy an otherwise well protected ISID managed in the > kernel space. This could also occur when you accidentally start another > application that does not coordinate its ISID selection. Another parallel iscsi application running in user space should use a different iscsi initiator name than the iscsi kernel driver. If it does use the same iscsi initiator name, it must co-ordinate its usage of ISID, cmdsn, exp_statsn, initiator task tag with the kernel iscsi driver. Failure to do either can and should result in the pre-existing session being logged out, since this is a coding error in the initiator application. However, prior to taking any such action, the login request must first be authenticated to protect against malicious logouts from spurious initiators. > The earlier thread was leaning towards "Reject the second login attempt with > In-Use error code" but the issue of targets cleaning up inactive and failed > sessions still lingers on. > > Some observations: > > 1. There is no way to protect against rogue software at the intiator; even > the best IPSec policies and key management can not prevent such software > from disturbing other well-behaved components. So trying to design > mechanisms to prevent this at the target would be fruitless. Agreed. That is the philosophy of option (A). > > 2. There is some value in protecting an accidental use of an existing ISID > by a second client (ISID=<existing>, TSID=0). This can be done with a Reject > of the login attempt, even without verification of login credentials - (less > of a DOS attack). You also do not need to analyze connection states in this > case. A second client should create its own iscsi initiator name or partition the (ISID, cmdsn, init task tag) resources into pools that can be shared b/n the 2 clients. Even then, there exist issues in sending exp_statsn values. The easiest partition is to use different names for different clients. If multiple clients on a host do not follow the above precautions, they are faulty in their iscsi session resource management and there is little sense in designing targets to protect against such behaviour. > > 3. From the perspective of the Target, case 2) above is no different from an > initiator rebooting and accidentally choosing an existing ISID with TSID=0. > To distinguish 2) from 3), we can make use of the Clear bit (or the C-bit) > and avoid many unnecessary trips at reboot time, trying to probe for an > unused ISID. The usage is that if C-bit is present, any previous sessions > are also closed by the target. I think this was Option B) in the original > email. There is nothing to prevent multiple concurrent clients from logging in with "C" bit set, and use the same ISID + 0 TSID. The simplest approach is for the targets to authenticate the initiators and once authentication has passed, to trust the initiator's requests. The target should not be in the business of second-guessing the initiator's intentions by testing connections, etc. The "C" bit is of little or no use, since the initiator does not know reliably in which cases its usage is required. [It may have lost prior state and has no knowledge that it had a pre-existing session]. It would end up using this bit in all logins. Regards, Santosh - santoshr.vcf
Home Last updated: Tue Sep 04 01:03:49 2001 6315 messages in chronological order |