SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: iSCSI - Change - Login/Text commands with the binary stage code



    
    Sandeep,
    
    Comments in text.  Julo
    
    Sandeep Joshi <sandeepj@research.bell-labs.com>@ece.cmu.edu on 30-08-2001
    19:11:53
    
    Please respond to Sandeep Joshi <sandeepj@research.bell-labs.com>
    
    Sent by:  owner-ips@ece.cmu.edu
    
    
    To:   ips@ece.cmu.edu
    cc:
    Subject:  Re: iSCSI - Change - Login/Text commands with the binary stage
          code
    
    
    
    
    Julian,
    
    > > As for the names - I though that security people might object having
    the
    > > name in clear if the security phase does not make use of the name.
    > > Otherwise we can mandate them on the login but I wonder if that is a
    real
    > > improvement or we are getting carelles.
    > >
    > > Julo
    
    The problem with these names (and hence the request from Steve and
    others
    earlier) is that it is not possible to know when the target wants them.
    
    Consider the following excerpts from your latest login proposal..
    +++ The initiator know if the authentication method selected needs the name
    and will offer it if so (that is mostly context information not related to
    the wire protocol +++
    > A target MAY use the iSCSI Initiator Name as part of its access control
    > mechanism; therefore, the iSCSI Initiator Name MUST be sent before the
    > target is required to disclose its LUs.
    
    The above is _very_ confusing..how can the initiator know if the
     the target is doing access control ?
    +++ It really is not. LU names can be obtaine only in FFP. The statement
    says that you have to disclose them before reaching FFP and explains why
    +++
    > If the iSCSI Target Name and/or iSCSI Initiator Name is going to be used
    > in determining the security mode or it is implicit part of
    > authentication, then the iSCSI Target Name and/or iSCSI Initiator Name
    > MUST be sent in the login command for the first connection of a session
    > to identify the storage endpoint of the session
    
    In both the above cases, how does the initiator know when the target
    requires these names?  The partial login response occurs *only* once.
    So when going from the security->operational phase, there is no
    indication that the target would like these names sent.
    +++ the security negotiation is not ended with partial response
    but through a complete handshake in the old and new schemes.
    The initiator will know before by the selection made if he has to give its
    name or not.
    The whole point was for us to mandate what is mandatory for iSCSI in
    general
    and let all the other choices open.
    With IPSec it is less of an issue as the name can be presented on an
    encrypted although not fully authenticated channel+++
    
    There are 3 options here :
    (A) ALways send the names in the login command.  Simplify target
       and initiator and eliminate a few of those partial login
       response codes.
    (B) Maintain a configuration database (per-target) of when names
       must be sent - adds an administration burden.
    (C) Change the wire protocol to allow the target to indicate when
       the names must be sent - again more complications.
    +++ please read and react to the new proposals +++
    To round up, I prefer Option (A).  These are just names and not
    passwords, so the security risks are minimal.  Are we trying to
    protect against traffic analysis ?
    +++ I agree that it is simpler to think about it this way. I do not agree
    that it is more difficult to implement.
    If you need the name in the security negotiation it is just another
    parameter of the
    method and you will know when to present it.
    If you don't need it you will present it on the last Login request (or text
    in the old version) - the one that holds the F bit set.
    IAgain I hold no strong opinion for or against what you suggest.
    I simply don't want us to make a decision based on convenience. It is a bad
    guide.
    +++
    -Sandeep
    
    > >
    > > Steve Senum <ssenum@cisco.com>@ece.cmu.edu on 29-08-2001 23:59:36
    > >
    > > Please respond to Steve Senum <ssenum@cisco.com>
    > >
    > > Sent by:  owner-ips@ece.cmu.edu
    > >
    > >
    > > To:   ietf-ips <ips@ece.cmu.edu>
    > > cc:
    > > Subject:  Re: iSCSI - Change - Login/Text commands with the binary
    stage
    > >       code
    > >
    > >
    > >
    > > Julian,
    > >
    > > A couple of ideas from Matthew Burbridge & Co.'s
    > > login proposal that has generated some interest here:
    > >
    > > 1. Removal of partial login response.  Is it still needed?
    > >
    > > 2. Requiring Initiator and (if not a discovery session)
    > >    Target names on login command, so they are always
    > >    available if needed by the initial phase.
    > >
    > > Comments?
    > >
    > > Regards,
    > > Steve Senum
    > >
    > >
    > >
    > >
    
    
    
    


Home

Last updated: Tue Sep 04 01:03:49 2001
6315 messages in chronological order