|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: iscsi - InitiatorName key during login
An example
to support why InitiatorName is required on the leading login PDU of any
connection -
Suppose
there are two Initiator Nodes on a system (not preferred, but not prohibited -
perhaps these are two test implementations ;-)
These two
INs use the same IP address
Both have
separate sessions w/ ISID/TSID = 1/1 (possible in the current model since they
are two separate initiators).
The only way
for the target to differentiate "which session" an incoming connection wants to
join is "InitiatorName" as everything else is legitimately the
same.
Marjorie
-----Original Message----- From: Julian Satran
[mailto:Julian_Satran@il.ibm.com] Sent: Monday, October 08, 2001 9:01
PM To: KRUEGER,MARJORIE (HP-Roseville,ex1) Cc:
ips@ece.cmu.edu; owner-ips@ece.cmu.edu Subject: RE: iscsi -
InitiatorName key during login
Marjorie,
I
am not an expert in names :-) It is up
to your team to tell me what to do. I can object (as any list member)
but I do not have any strong belief on this. IMHO it is an overkill to have it on any connection since this requires
the target to check it against SSID but that is only an opinion (and I have been know not to agree with my own
opinions sometime).
Julo
| "KRUEGER,MARJORIE
(HP-Roseville,ex1)" <marjorie_krueger@hp.com> Sent by: owner-ips@ece.cmu.edu
09-10-01 00:14 Please respond to "KRUEGER,MARJORIE
(HP-Roseville,ex1)"
| To:
Julian Satran/Haifa/IBM@IBMIL, ips@ece.cmu.edu
cc:
Subject: RE: iscsi -
InitiatorName key during login
|
In any implementation, there may be a separation
between authentication and authorization.
I admit insufficient data
WRT iSCSI security draft, but I am assuming that regardless what
authentication scheme is in use, an implementation may or may not have some
association between authentication "userId" and an initiator access control
list consisting of InitiatorNames. So even if an initiator is
"authenticated", this InitiatorName may not be allowed access to this
target? The earlier list discussion seemed to indicate "userId"
is separate from "InitiatorName"
For instance, IPSec authenticates
based on IP address. But there is no requirement that there be a
one-one association between an IP address and an InitiatorName, so while
the IP address may authenticate, the InitiatorName may not be allowed
access to the target.
Perhaps on a connection joining a session,
it is enough that the connection knows the correct ISID, TSID? But I
am thinking that requiring the correct InitiatorName is a small price to
pay for an added check. ISID=1, TSID=1 is easy to "guess", but
correct InitiatorName is not.
Please correct me if you see a flaw in my
thinking...
Marjorie -----Original Message----- From:
Julian Satran [mailto:Julian_Satran@il.ibm.com] Sent: Monday, October 08,
2001 2:10 PM To: ips@ece.cmu.edu Subject: RE: iscsi - InitiatorName key
during login
You are the naming team so you must be right!
The current authentication schemes do not make specific use of the
InitiatorName but some authentication has to be used. What makes
InitiaatorName needed that you did consider earlier?
Julo
John Hufferd@IBMUS 08-10-01 22:36
To: Julian Satran/Haifa/IBM@IBMIL@IBMDE,
"KRUEGER,MARJORIE (HP-Roseville,ex1)" <marjorie_krueger@hp.com>,
andy@windriver.com] cc:
ips@ece.cmu.edu From:
John Hufferd/San Jose/IBM@IBMUS
Subject: RE: iscsi - InitiatorName key during
loginLink
Marjorie is correct.
Without the Initiator Name on all Logins a Secondary Connection
can spoof its way in. The appendix needs to be
corrected.
. . . John L. Hufferd Senior Technical Staff
Member (STSM) IBM/SSG San Jose Ca Main Office (408) 256-0403, Tie:
276-0403, eFax: (408) 904-4688 Home Office (408) 997-6136 Internet
address: hufferd@us.ibm.com
Sent by:
owner-ips@ece.cmu.edu To: ips@ece.cmu.edu
cc: Subject:
RE: iscsi - InitiatorName key during login
I would think
InitiatorName is required on the first login PDU of every connection -
InitiatorName is required for target authentication of the initiator, and
that happens each time a connection joins the session. To behave
otherwise seems an opportunity for identity spoofing?
In any case, this needs to be clarified in the next
revision...
Marjorie Krueger Networked Storage
Architecture Networked Storage Solutions Org. Hewlett-Packard tel: +1
916 785 2656 fax: +1 916 785 0391 email:
marjorie_krueger@hp.com
> -----Original Message----- > From:
andy currid [mailto:andy@windriver.com] > Sent: Monday, October 08, 2001
9:34 AM > To: ips@ece.cmu.edu > Subject: iscsi - InitiatorName key
during login > > > > iSCSI version 8 is unclear as to
whether InitiatorName is required > in the first login PDU of every
login in a session, or just the > leading login. > > Chapter
5, Login Phase, states - > > "The login phase sequence of
commands and responses proceeds > as follows: > >
- login initial request > - login partial response
(optional) > - more login requests and responses
(optional) > - login final-response
(mandatory) > > The initial login request MUST include the
InitiatorName and > SessionType key=value pairs." > >
Taken in the context, this wording implies that for any login, the >
first login PDU must contain the InitiatorName key. > > Appendix
D.13, InitiatorName, states that InitiatorName is Leading > Only and
that "this key MUST be provided by the initiator of the TCP > connection
to the remote endpoint before the end of the login phase". > >
This wording implies that InitiatorName is supplied in the leading >
login only, and need not necessrily appear in the first login PDU > of
the leading login. > > So which is correct? > > It
seems to me that requiring that InitiatorName be present in the > first
PDU of the leading login is a must, to allow targets to verify > up
front whether or not they wish to proceed further with this > initiator.
I don't think there's much incremental benefit to having > InitiatorName
appear in the first login PDU of every login. > > Andy >
-- > Andy Currid
andy@windriver.com > Server Products Group
http://www.windriver.com > Wind River Networks
Phone : (1) 510
749 2191 > 500 Wind River Way, Alameda, CA 94501
Fax : (1) 510 749 2560 >
Home
Last updated: Tue Oct 09 12:17:27 2001
7157 messages in chronological order
|