SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: ISCSI: User authentication vs. Machine Authentication for iSC SI



    
    Mark,
    You clearly understand part of the problem well.  You need to step a bit
    further.
    Just recommending the names be the same, does not address what happens
    when they are not.  So let me take you a bit further.
    
    A system that has an iSCSI Initiator Node Name "iqn.com.mother.jump"
    is given the UserID of "Wonder".
    Now assume that "Wonder" is Authenticated. Now the iSCSI client system with
    UserID
    of "Wonder" can now masquerade as any other Authorized iSCSI Initiator
    Node, by putting that name on its Login.
    
    This seems like it is not a real good idea, so the target system needs to
    prevent this.  That means that the Target System needs to bind together
    in some way the UserID and the approprate iSCSI Initiator Node Name.
    
    So only recommending that the UserID and iSCSI Initiator NodeName
    be the same means that everyone MUST implement a relationship
    binding Database that can be used to ensure that no one can masquerade
    as some other iSCSI Initiator Node.
    
    This also means that it needs to be tied into the UserID authorization
    Database/Directory such that when name etc. are change (which
    often they do), the iSCSI Target Device relationship/Binding Database
    is also updated.  If this is a manual process, it will get out on hand
    very quickly.
    
    For those of you that think this is a very simple one to one table, you
    might want to read Marks note again, he said that he could have
    a different UserID for each network he logs into.  If there is any
    cross connect to a specific iSCSI Target this means that the
    iSCSI Target Device needs to perhaps carry more then one
    UserID for each iSCSI Initiator Node Name.
    
    That may not be a significant problem since the networks
    may never interconnect.  Opinions would be useful here.
    
    Is their any other reason that an iSCSI Initiator Node would  have
    more then one UserID?
    
    Does anyone have a technique to ensure that only the iSCSI
    Initiator Node Name need be managed?
    
    
    
    .
    .
    .
    John L. Hufferd
    Senior Technical Staff Member (STSM)
    IBM/SSG San Jose Ca
    Main Office (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
    Home Office (408) 997-6136
    Internet address: hufferd@us.ibm.com
    
    
    Mark Bakke <mbakke@cisco.com>@cisco.com on 08/30/2001 01:07:35 PM
    
    Sent by:  mbakke@cisco.com
    
    
    To:   Stephen Bailey <steph@cs.uchicago.edu>
    cc:   ips@ece.cmu.edu, John Hufferd/San Jose/IBM@IBMUS
    Subject:  Re: ISCSI: User authentication vs. Machine Authentication for iSC
          SI
    
    
    
    Stephen Bailey wrote:
    >
    > > The new Name (UserID) is exactly what was implied at the meeting in
    > > Irvine.
    >
    > Oh.  How horrible.
    
    Ideally, you're right.  For instance, if iSCSI was using AuthMethod=CHAP,
    then it would be great if the CHAP username (N) specified was identical
    to the InitiatorName.
    
    In the draft, that's not how it is.  The user names for CHAP and SRP
    (I'm not sure about the others) are specified separately from the
    InitiatorName, so there's currently nothing in the protocol to prevent
    them from being different.
    
    In practise, there might be times when having them be different
    makes the "fit in" better with whatever administration scheme is
    out there.  For instance, if my desktop was assigned some iSCSI
    storage, and my username and password were kept on a RADIUS server
    somewhere, for use by file servers, web servers, and iSCSI servers
    or devices, my user name is likely to be a non-globally-unique
    string, probably "mbakke".  However, that's not likely to be
    my InitiatorName.  To make them the same, I would either have to
    change my InitiatorName on my desktop to "mbakke", to fit in with
    my login on all of our web and file servers, or the admin would
    have to create a new login for my iSCSI stuff on the RADIUS server,
    and maintain two of them.  Changing my login on everything to
    match an iSCSI name is likely not an option.
    
    Another possible place this could happen is if I am obtaining
    iSCSI "services" from more than one administratively-separate
    environment.  Each of these environments may prefer to assign
    me a user name for login that matches their own internal scheme.
    I may have some control over this, but in the end, it has to be
    unique within the service-provider's scheme.  This is very
    similar to setting up a user-name for your ISP at home; you
    may request a particular name, but if the ISP already has one,
    you have to pick again.
    
    The point is that if one had two of these environments providing
    services, they may each need a separate user name.
    
    Of course, the latter example could be solved by having the
    admins accept the initiator name that's already on my iSCSI
    client as the user name; these are supposed to be unique
    anyway.  The only trouble then is the same as before; if I am
    getting more than just iSCSI services from this provider, they
    would then have to maintain two user names for me.
    
    A third reason this might happen is that some centralized
    password authenticated services such as RADIUS may have
    length restrictions on their user names that are shorter than
    what is allowed in an iSCSI initiator name.
    
    Anyway, implementations have the most flexibility the way
    these protocols (SRP, CHAP) are currently documented.  I think
    that we could recommend that the iSCSI initiator name be the
    same wherever possible, but I don't see how we can require it.
    
    >
    > > A number of us, I am sure, think this is a very poor direction for an
    > > implementation.
    >
    > Agreed.  I just wanted to walk the space a little bit.  My point is
    > that while traditional SCSI passthru does confer control privs (and is
    > protected as such), it doesn't need to.  Specifically, a client using
    > SCSI passthru is not actually given the identity of the host OS, per
    > se.
    >
    > > So I believe we must consider such a potential application as
    > > probably a rouge application and do nothing to help this, and work
    > > to prevent it.
    >
    > I understand what you're saying, but I'm not sure it confers much
    > architectural direction.  There already must be a concept of identity
    > which is independent of anything bound to a particular system (e.g. IP
    > address, hardware network port etc.), so there's no way to exclude
    > that.
    >
    > > The important issue is, can we make the iSCSI Initiator Node Name be
    > > used as the UserID.
    
    
    Again, I think that the best we can do is recommend that they
    be the same, but I don't think we can take the step of requiring
    it.
    
    
    > Agreed.  Are there minutes to the meeting?
    >
    > Thanks,
    >   Steph
    
    --
    Mark A. Bakke
    Cisco Systems
    mbakke@cisco.com
    763.398.1054
    
    
    
    


Home

Last updated: Tue Sep 04 20:17:05 2001
6341 messages in chronological order