|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iscsi - InitiatorName key during login
Julian,
Even on Secondary connections Security Authentication is required. As
part of this Authentication, the implementation needs to validate the
UserID has the right to Use a specific iSCSI Initiator Name, therefore it
needs to have the iSCSI Initiator Name.
Now it is possible that the implementation has kept, the Initiator Node
Name some where associated with the primary connection. In this case, if
the other information in the PDU was sufficient to obtain the correlation
to a specific Session, and thereby extract the iSCSI Initiator Name, then
it would be possible to compare that to the list of iSCSI Initiators which
the UserID is allowed to use.
So, I guess I over spoke, it is possible to come up with an approach that
works without the iSCSI Initiator Name being Sent on the Secondary
Connection, but, it would be a non standard compare path with the normal
ACL interaction.
I still believe, however, that the iSCSI Initiator Name should be required
on each connection to keep the implementations easier.
.
.
.
John L. Hufferd
Senior Technical Staff Member (STSM)
IBM/SSG San Jose Ca
Main Office (408) 256-0403, Tie: 276-0403, eFax: (408) 904-4688
Home Office (408) 997-6136
Internet address: hufferd@us.ibm.com
"Julian Satran" <Julian_Satran@il.ibm.com>@ece.cmu.edu on 10/08/2001
02:09:36 PM
Sent by: owner-ips@ece.cmu.edu
To: ips@ece.cmu.edu
cc:
Subject: RE: iscsi - InitiatorName key during login
You are the naming team so you must be right! The current authentication
schemes do not make specific use of the InitiatorName but some
authentication has to be used. What makes InitiaatorName needed that you
did consider earlier?
Julo
John Hufferd@IBMUS To:
Julian
08-10-01 22:36 Satran/Haifa/IBM@IBMI
L@IBMDE,
"KRUEGER,MARJORIE
(HP-Roseville,ex1)"
<marjorie_krueger@hp.
com>,
andy@windriver.com]
cc:
ips@ece.cmu.edu
From:
John Hufferd/San
Jose/IBM@IBMUS
Subject:
RE: iscsi -
InitiatorName key
during loginLink
Marjorie is correct. Without the Initiator Name on all Logins a Secondary
Connection can spoof its way in. The appendix needs to be corrected.
.
.
.
John L. Hufferd
Senior Technical Staff Member (STSM)
IBM/SSG San Jose Ca
Main Office (408) 256-0403, Tie: 276-0403, eFax: (408) 904-4688
Home Office (408) 997-6136
Internet address: hufferd@us.ibm.com
Sent by: owner-ips@ece.cmu.edu
To: ips@ece.cmu.edu
cc:
Subject: RE: iscsi - InitiatorName key during login
I would think InitiatorName is required on the first login PDU of every
connection - InitiatorName is required for target authentication of the
initiator, and that happens each time a connection joins the session. To
behave otherwise seems an opportunity for identity spoofing?
In any case, this needs to be clarified in the next revision...
Marjorie Krueger
Networked Storage Architecture
Networked Storage Solutions Org.
Hewlett-Packard
tel: +1 916 785 2656
fax: +1 916 785 0391
email: marjorie_krueger@hp.com
> -----Original Message-----
> From: andy currid [mailto:andy@windriver.com]
> Sent: Monday, October 08, 2001 9:34 AM
> To: ips@ece.cmu.edu
> Subject: iscsi - InitiatorName key during login
>
>
>
> iSCSI version 8 is unclear as to whether InitiatorName is required
> in the first login PDU of every login in a session, or just the
> leading login.
>
> Chapter 5, Login Phase, states -
>
> "The login phase sequence of commands and responses proceeds
> as follows:
>
> - login initial request
> - login partial response (optional)
> - more login requests and responses (optional)
> - login final-response (mandatory)
>
> The initial login request MUST include the InitiatorName and
> SessionType key=value pairs."
>
> Taken in the context, this wording implies that for any login, the
> first login PDU must contain the InitiatorName key.
>
> Appendix D.13, InitiatorName, states that InitiatorName is Leading
> Only and that "this key MUST be provided by the initiator of the TCP
> connection to the remote endpoint before the end of the login phase".
>
> This wording implies that InitiatorName is supplied in the leading
> login only, and need not necessrily appear in the first login PDU
> of the leading login.
>
> So which is correct?
>
> It seems to me that requiring that InitiatorName be present in the
> first PDU of the leading login is a must, to allow targets to verify
> up front whether or not they wish to proceed further with this
> initiator. I don't think there's much incremental benefit to having
> InitiatorName appear in the first login PDU of every login.
>
> Andy
> --
> Andy Currid andy@windriver.com
> Server Products Group http://www.windriver.com
> Wind River Networks Phone : (1) 510 749 2191
> 500 Wind River Way, Alameda, CA 94501 Fax : (1) 510 749 2560
>
Home Last updated: Mon Oct 08 19:17:26 2001 7135 messages in chronological order |