SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iscsi - InitiatorName key during login



    An example to support why InitiatorName is required on the leading login PDU of any connection -
     
    Suppose there are two Initiator Nodes on a system (not preferred, but not prohibited - perhaps these are two test implementations ;-)
    These two INs use the same IP address
    Both have separate sessions w/ ISID/TSID = 1/1 (possible in the current model since they are two separate initiators).
     
    The only way for the target to differentiate "which session" an incoming connection wants to join is "InitiatorName" as everything else is legitimately the same.

    Marjorie

    -----Original Message-----
    From: Julian Satran [mailto:Julian_Satran@il.ibm.com]
    Sent: Monday, October 08, 2001 9:01 PM
    To: KRUEGER,MARJORIE (HP-Roseville,ex1)
    Cc: ips@ece.cmu.edu; owner-ips@ece.cmu.edu
    Subject: RE: iscsi - InitiatorName key during login


    Marjorie,

    I am not an expert in names :-)
    It is up to your team to tell me what to do.  I can object (as any list member) but I do not have any strong belief on this.
    IMHO it is an overkill to have it on any connection since this requires the target to check it against SSID but that
    is only an opinion (and I have been know not to agree with my own opinions sometime).

    Julo


    "KRUEGER,MARJORIE (HP-Roseville,ex1)" <marjorie_krueger@hp.com>
    Sent by: owner-ips@ece.cmu.edu

    09-10-01 00:14
    Please respond to "KRUEGER,MARJORIE (HP-Roseville,ex1)"

           
            To:        Julian Satran/Haifa/IBM@IBMIL, ips@ece.cmu.edu
            cc:        
            Subject:        RE: iscsi - InitiatorName key during login

           


    In any implementation, there may be a separation between authentication and
    authorization.

    I admit insufficient data WRT iSCSI security draft, but I am assuming that
    regardless what authentication scheme is in use, an implementation may or
    may not have some association between authentication "userId" and an
    initiator access control list consisting of InitiatorNames.  So even if an
    initiator is "authenticated", this InitiatorName may not be allowed access
    to this target?  The earlier list discussion seemed to indicate "userId" is
    separate from "InitiatorName"

    For instance, IPSec authenticates based on IP address.  But there is no
    requirement that there be a one-one association between an IP address and an
    InitiatorName, so while the IP address may authenticate, the InitiatorName
    may not be allowed access to the target.  

    Perhaps on a connection joining a session, it is enough that the connection
    knows the correct ISID, TSID?  But I am thinking that requiring the correct
    InitiatorName is a small price to pay for an added check.  ISID=1, TSID=1 is
    easy to "guess", but correct InitiatorName is not.

    Please correct me if you see a flaw in my thinking...

    Marjorie  
    -----Original Message-----
    From: Julian Satran [mailto:Julian_Satran@il.ibm.com]
    Sent: Monday, October 08, 2001 2:10 PM
    To: ips@ece.cmu.edu
    Subject: RE: iscsi - InitiatorName key during login



    You are the naming team so you must be right!  The current authentication
    schemes do not make specific use of the InitiatorName but some
    authentication has to be used. What makes InitiaatorName needed that you did
    consider earlier?

    Julo


    John Hufferd@IBMUS
    08-10-01 22:36

           To:        Julian Satran/Haifa/IBM@IBMIL@IBMDE, "KRUEGER,MARJORIE
    (HP-Roseville,ex1)" <marjorie_krueger@hp.com>, andy@windriver.com]
           cc:        ips@ece.cmu.edu
           From:        John Hufferd/San Jose/IBM@IBMUS
           Subject:        RE: iscsi - InitiatorName key during loginLink
     






    Marjorie is correct.  Without the Initiator Name on all Logins  a Secondary
    Connection can spoof its way in.  The appendix needs to be corrected.

    .
    .
    .
    John L. Hufferd
    Senior Technical Staff Member (STSM)
    IBM/SSG San Jose Ca
    Main Office (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
    Home Office (408) 997-6136
    Internet address: hufferd@us.ibm.com

    Sent by:        owner-ips@ece.cmu.edu
    To:        ips@ece.cmu.edu
    cc:        
    Subject:        RE: iscsi - InitiatorName key during login



    I would think InitiatorName is required on the first login PDU of every
    connection - InitiatorName is required for target authentication of the
    initiator, and that happens each time a connection joins the session.  To
    behave otherwise seems an opportunity for identity spoofing?

    In any case, this needs to be clarified in the next revision...

    Marjorie Krueger
    Networked Storage Architecture
    Networked Storage Solutions Org.
    Hewlett-Packard
    tel: +1 916 785 2656
    fax: +1 916 785 0391
    email: marjorie_krueger@hp.com

    > -----Original Message-----
    > From: andy currid [mailto:andy@windriver.com]
    > Sent: Monday, October 08, 2001 9:34 AM
    > To: ips@ece.cmu.edu
    > Subject: iscsi - InitiatorName key during login
    >
    >
    >
    > iSCSI version 8 is unclear as to whether InitiatorName is required
    > in the first login PDU of every login in a session, or just the
    > leading login.
    >
    > Chapter 5, Login Phase, states -
    >
    >  "The login phase sequence of commands and responses proceeds
    > as follows:
    >
    >    - login initial request
    >    - login partial response (optional)
    >    - more login requests and responses (optional)
    >    - login final-response (mandatory)
    >
    >   The initial login request MUST include the InitiatorName and
    >   SessionType key=value pairs."
    >
    > Taken in the context, this wording implies that for any login, the
    > first login PDU must contain the InitiatorName key.
    >
    > Appendix D.13, InitiatorName, states that InitiatorName is Leading
    > Only and that "this key MUST be provided by the initiator of the TCP
    > connection to the remote endpoint before the end of the login phase".
    >
    > This wording implies that InitiatorName is supplied in the leading
    > login only, and need not necessrily appear in the first login PDU
    > of the leading login.
    >
    > So which is correct?
    >
    > It seems to me that requiring that InitiatorName be present in the
    > first PDU of the leading login is a must, to allow targets to verify
    > up front whether or not they wish to proceed further with this
    > initiator. I don't think there's much incremental benefit to having
    > InitiatorName appear in the first login PDU of every login.
    >
    > Andy
    > --
    > Andy Currid                                       andy@windriver.com
    > Server Products Group                       http://www.windriver.com
    > Wind River Networks                         Phone : (1) 510 749 2191
    > 500 Wind River Way, Alameda, CA 94501       Fax   : (1) 510 749 2560
    >




Home

Last updated: Tue Oct 09 12:17:27 2001
7157 messages in chronological order