|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] iFCP: Responses to David Black iFCP Technical review commentsComment 4. [T] Section 2.1, Definition of FC-4 Layer "FC-4 - The fibre channel application layer. This layer is functionally equivalent to the TCP/IP application layer." I don't understand this. Are you equating FC-4 with OSI layer 7? If so, I'm not sure that is correct, and it might be better to leave out this attempted analogy. Accepted The definition will be changed to: "FC-4 - The fibre channel mapping of an upper level protocol, such as [FCP-2], the fibre channel SCSI mapping." Comment 5. [T] Section 3.2, page 10 a) "Arbitrated Loop -- A series of N_PORTs connected together in daisy-chain fashion. Data transmission between N_PORTs requires arbitration for control of the loop in a manner similar to a token ring network." That's not a fabric topology, unless the loop is fabric attached, in which case you're in case c), Mixed Fabric. iFCP can't support an FC-AL loop that isn't fabric-attached. Accepted in part The terminology will be changed to "fibre channel network topologies". However, like existing FC switch products, an iFCP gateway can emulate an FC-AL loop environment. The gateway does this by representing remotely attached devices as if they were resident on a local loop. The specification will be modified to describe such configurations. In addition, the following definition will be added: "Fabric -- From [FC-FS]: "The entity which interconnects N_PORTs attached to it and is capable of routing frames by using only the address information in the fibre channel frame." Comment 6. [T] Section 3.2, page 11, para 5 "Depending on the topology, the N_PORT and fabric port variants through which a fibre channel device is attached to the network may be one of the following: "Fabric Topology Fabric Port Type N_PORT Variant --------------- ---------------- -------------- Loop L_PORT NL_PORT Switched F_PORT N_PORT Mixed FL_PORT NL_PORT F_PORT N_PORT" I believe the Loop line in this table does not match the other lines and if so, this is one more reason to leave non-fabric- attached FC-AL out of this description. Accepted in part Since the loop topology can be supported, it should remain in the table. However, the terminology should be changed per Comment 5 and the table modified as shown below: "FC Network Topology N_PORT Variant FC Network Interface -------------------- -------------- -------------------- Loop NL_PORT L_PORT Switched N_PORT F_PORT Mixed NL_PORT FL_PORT via L_PORT" In the case of a mixed fabric, additional supporting text will be provided. Comment 9. [T] Section 4.4 - iFCP Fabric Properties At some point the need to reuse 24-bit addresses for outbound traffic from a single FC link behind an iFCP gateway will be a problem. This comment also applies to the second paragraph in Section 4.4.2. Accepted A discussion of address re-use issues will be added to the spec. Comment 11. [T] Section 4.5, pp 24, para 14 "The mode of gateway operation is settable in an implementation-specific manner. The implementation MUST NOT allow the mode to be changed after the gateway begins processing fibre channel frame traffic." Might want to add a MUST that a gateway cannot operate in more than one mode at the same time, and a repeat of the (implied) requirement that all gateways in an iFCP fabric MUST operate in the same mode. Accepted Comment 12. [T] Section 4.6. pp 24, para 2 b) "When interoperating with locally attached fibre channel switch elements, each iFCP gateway MUST assume control of DOMAIN_ID assignments in accordance with the appropriate Monia, et-al Category - Expiration [Page 6] Responses to iFCP Revision 10 Last Call Comments April 2002 fibre channel standard or vendor-specific protocol specification." This is ok, but turns up another requirement that needs to be explicitly stated earlier. Any given FC N_PORT MUST NOT be behind more than one iFCP gateway. Address Transparent mode satisfies this because only one gateway can become the principal switch, so the others presumably shut down, but Address Translation mode appears to have the potential for seriously nasty misbehavior unless the "iFCP gateway MUST become the principal switch" requirement is imposed on it also. Need to add a sentence or two on how an iFCP gateway can be assured of becoming the principal switch. Beyond this, the fact that any Fabric Attached FC-AL loop can have only one FL port completes the picture, ensuring that a loop can't stitch two gateway domains together. Requiring the iFCP gateway to be the principal switch also avoids problems with the gateway being unable to obtain sufficient Domain IDs from the principal switch. Accepted in Part For either iFCP fabric type, an N_PORT may be behind more than one gateway provided: a) One gateway becomes the 'principal switch' and b) All gateways attached to a given gateway region coordinate the assignment of N_PORT IDs and N_PORT aliases such that each N_PORT has one and only one assigned address. The above will be added to the specification. Comment 13. [T] Section 5.2.2.2, pp 32, para 4 "The gateway SHALL initiate the creation of an iFCP session in response to a PLOGI ELS directed to a remote N_PORT from a locally attached N_PORT as described in the following steps. a) "Using the D_ID field in the PLOGI frame header, locate the remote N_PORT descriptor. If no descriptor exists, the iFCP gateway SHALL return a response of LS_RJT, with a Reason Code of 'Unable to Perform Command Request' (0x09) and a Reason Code Explanation of 'Invalid N_PORT_ID' (0x1F). An iFCP session SHALL NOT be created." Need to explain why this is ok. The answer is that a properly operating FC N_PORT will have previously issued an FC nameserver query that the gateway translated to an iSNS query, and hence when it issues PLOGI to the result of the nameserver query, the iSNS query response created the required descriptor in the gateway before being translated to the FC nameserver result. There's an implication here that remote N_PORT descriptors that result from iSNS queries translated from FC nameserver queries MUST NOT be discarded as long as any N_PORT that has issued a query for that remote N_PORT is logged into the fabric. Accepted in part Although a name server query is almost always done in practice prior to a PLOGI, an N_PORT compliant with [FC-FS] is not required to do so. For that reason, the specification should cover the case where a fibre channel device attempts to send frames to an address without having executed a previous name server query. Also, while the policies for remote N_PORT descriptor retention are implementation-specific, the specification should at least contain recommendations. In that regard, the following added text is proposed: "Remote N_PORT Descriptors should be reclaimed based on a last in, first out policy. "An iFCP implementation should have sufficient resources to insure that a newly created descriptor is not reclaimed before the referencing iFCP session is created." Comment 17. [T] Section 5.2.2.2 - Creating an iFCP Session There's no discussion of what to do if a TCP connection closes unexpectedly during this process (e.g., if closing of unbound connections is allowed at arbitrary times for reasons such as reducing the resources consumed by unbound connections). This needs to be added even if the reason in parentheses is not allowed. Accepted Comment 18. [T] Section 5.2.2.2, pp 35, para 4 "Upon receiving such a request, the gateway providing the connectivity probe SHALL transmit LTEST messages at the specified interval." This requires liveness test (LTEST) messages even when the connection is in active use. Was that intended? Response The intent is to require LTEST messages at the specified interval regardless of whether or not there is other traffic. Comment 20. [T] Section 5.2.3.1, pp 38, para 1 "In response to the Unbind message, either gateway may choose to close the TCP connection or return it to a pool of unbound connections." This assumes that Unbind is always successful. It can fail, as documented in Section 6.2. Need to specify how to deal with this (e.g., close the TCP connection). Accepted The sentence will be modified as follows: "Upon successful completion of an Unbind operation, either gateway may choose to close the TCP connection or return it to a pool of unbound connections." The processing for the failure cases will also be specified. Comment 21. [T] Section 5.2.3.1 - iFCP Session Completion Can an iFCP gateway reduce the pool of unbound connections (e.g., due to demands for resources for other connections), possibly by closing them? If yes, need to say so. Accepted A gateway may close an unbound connection due to resource demands. The spec will be modified appropriately. Comment 23. [T] Section 5.4.1, pp 40, para 1 "Protocol# IANA-assigned protocol number identifying the protocol using the encapsulation. For iFCP the value is (/TBD/)." It's 2 - cite the FC Encapsulation draft's IANA Considerations section as the authority for this. Accepted Comment 25. [T] Section 5.4.2 - SOF and EOF Delimiter Fields "SOF (bits 31-24 and bits 23-16 in word 0): iFCP uses the following subset of the SOF fields described in [ENCAP]. This is a problem because these codes are being specified in more than one place. I think the FC Frame Encapsulation document is the right place for the normative specification of these codes (and see my comments against it on the need to get IANA involved). This would be ok as a list of codes that are currently valid, but the specification authority needs to be in one place. Same comment applies to EOF. Accepted in Part The specification will be revised in accordance with Comment 24. Comment 27. [T/E] Section 6 - TCP Session Control Messages Monia, et-al Category - Expiration [Page 11] Responses to iFCP Revision 10 Last Call Comments April 2002 Request LS_COMMAND Short Name iFCP Support ------- ---------- ---------- ----------- Connection Bind 0xE0 CBIND REQUIRED Unbind Connection 0xE4 UNBIND REQUIRED Test Connection Liveness 0xE5 LTEST REQUIRED [T/E] How do we know that those three values (E0, E4, and E5) will not conflict with some future usage by Fibre Channel? I think the answer is that SES=1 in the iFCP flags in the header, and would be 0 in any future use of these values in an ELS, but the use of those three values looks like an attempt to avoid conflict and should be explained. Accepted That is correct. These values were chosen as patterns readily distinguishable by a protocol analyzer. Comment 28. [T] 6.2 - Unbind Connection (UNBIND) "Unbind Status Description ------------- ----------- 0 Successful û No other status 1 - 15 Reserved 16 Failed - Unspecified Reason 18 Failed - Connection ID Invalid Others Reserved "Unbind can fail, but earlier specification of the use of Unbind (e.g., in Section 5.2.3.1) assumes that it cannot fail." Description of how to deal with Failed status needs to be added there (e.g., close the TCP connection). Accepted Comment 31. [T] 7.3 - Fibre Channel Link Services Processed by iFCP "The following Extended and FC-4 Link Service Messages must receive special processing." Process question - how does this list get coordinated with T11 so that it gets updated when T11 defines a new ELS or FC-4 LS that requires iFCP intervention? Response The specification must be revised to track the evolving fibre channel specifications, including, among other things, the addition of new link services that require special processing. Comment 32. [T] 7.3.1.1 - Abort Exchange (ABTX) "Fields Requiring Translation Supplemental Data Address Translation Type (see (type 3 only) ------------------- section 7.2) ------------ ----------- Exchange Originator 1, 2 N/A S_ID" Need to specify how to choose the translation type. This comment also applies to RES, RES ACC, RLS, RSS, RRQ, RSI, REC and REC ACC. It may be best resolved by adding additional text in Section 7.2. Accepted Comment 35. Section 8.2.1 - Enforcing R_A_TOV Limits The rules in this section appear to allow forwarding of all frames received while in Unsynchronized mode or with a timestamp of 0,0. This looks like formula for violating R_A_TOV - was this intended? Response The intention was to abort all iFCP sessions and not allow the creation of new ones. The specification will be revised accordingly. Comment 36. [T] Section 9.4.1 - Establishing the Broadcast Configuration "The broadcast configuration is managed using facilities provided by the iSNS server. Specifically: a) "An iSNS discovery domain is created and seeded with the network address of the global broadcast server N_PORT. The global server is identified as such by setting the appropriate N_PORT entity attribute." There are no means for recovery from failure, so loss of the gateway performing the broadcast service results in loss of the broadcast service. This needs to be explained at a minimum, and probably corrected. Accepted An implementation may designate a local server as a standby global broadcast server. The local server uses the LTEST message to determine if the global server is functioning and may assume control if not. The specification will be revised accordingly. Comment 37. [T] Section 10.2.2, page 82, para 1 "Conformant implementations of the iFCP protocol MAY use such security definitions." I don't understand this sentence. What was intended? Accepted The paragraph will be changed to: "It is imperative to thwart these attacks, given that an iFCP gateway is the last line of defense for a whole fibre channel island, which may include several hosts and fibre channel switches. To do so, the iFCP gateway must implement and may use confidentiality, data origin authentication, integrity, and replay protection on a per-datagram basis. The iFCP gateway must implement and may use bi-directional authentication of the communication endpoints. Finally, it must implement and may use a scalable approach to key management." Comment 38. [T] Section 10.2.3, pp 82, para 1 "Enterprise data center networks are considered mission- critical facilities that must be isolated and protected from all possible security threats. Such networks are usually protected by security gateways, which at a minimum provide a shield against denial of service attacks. The iFCP security architecture is capable of leveraging the protective services of the existing security infrastructure, including firewall protection, NAT and NAPT services, and IPSec VPN services available on existing security gateways." While this is true of iFCP, iSNS has some serious issues with NAT and NAPT and iFCP cannot be operated without iSNS. Rejected iSNS issues with NA(P)Ts are thought to be resolved (see Section 3.6 in the iSNS specification). iSNS has at least two non-exclusive options to cope with NA(P)Ts, a) the use of FQDNs instead of IP addresses, and b) the option to establish a confederation of iSNS servers and have them doctor IP numbers in transit as part of their mutual confederation contract. Comment 39. [T] Section 10.2.4, pp 82, para 1 "iFCP gateways MUST use Discovery Domain information obtained from the iSNS server [ISNS] to determine whether the initiating fibre channel N_PORT should be allowed access to the target N_PORT. N_PORT identities used in the Port Login (PLOGI) process shall be considered authenticated provided the PLOGI request is received from the remote gateway over a secure, IPSec-protected connection." Need to say something about the IKE identities (ID payloads) used for the authentication, and how they correspond to information obtained from iSNS - NATs/NAPTs will cause issues here. Just requiring an IPsec-protected connection isn't good enough as it may allow a node not registered with iSNS to get in. Accepted in part It would be premature to enumerate ID payloads in section 10.2.4, which describes the scope of the overall security design prior to any IKE/IPsec requirement (to follow in sections 10.3). The requested information will be supplied after the last paragraph in section 10.3.1. Regarding intervening NA(P)Ts between iSNS clients and servers, it is possible to put a proxy iSNS server at the boundary between addressing domains. Such proxy will terminate the IKE/IPSec so that the ID_IPV4_ADDR identity can be used natively by IKE. It is also possible to use the second method described in the response to comment 38 -- a confederation of iSNS servers where the NAT(P)T mediation now occurs between iSNS servers. Admission control is performed by the iSNS server, based upon the Discovery Domain (DD) configuration information stored in that iSNS server. Once the authenticity of a gateway is verified (e.g., via a pre-shared key) and IPsec SAs are established, then the gateway is trusted to behave according to the specification, which mandates a handshake with iSNS for admission. Comment 41. [T] Section 10.2.7 Authorization "Authorization is outside of the scope of this specification, and is seen as fully orthogonal to the iFCP security design. Such design, however, includes key authorization-enabling features in the form of Identity Payload (e.g., ID_FQDN), certificate-based authentication (e.g., with X509v3 certificates), and discovery domains [ISNS]." What?? If iSNS doesn't know about an iFCP gateway, that gateway shouldn't be able to talk to any other iFCP gateway. That's access control, which counts as authorization in my book. Accept The paragraph will be re-written as follows. "Basic access control properties stem from the requirement that the communicating iFCP gateways be known to one or more iSNS servers before they can engage in iFCP exchanges. The optional use of Identity Payloads (e.g., ID_FQDNs), certificate-based authentication (e.g., with X509v3 certificates), and discovery domains [ISNS] enables authorization schemas of increasing complexity. The definition of such schemas (e.g., role-based access control) is outside of the scope of this specification." Comment 43. [T] Section 10.3.2, pp 86, para 9 "Upon receiving an IKE Phase-2 delete message, there is no requirement to terminate the protected TCP connections or delete the associated IKE Phase-1 SA. Since an IKE Phase-2 SA may be associated with multiple TCP connections, terminating such connections might in fact be inappropriate and untimely. An iFCP Portal must instead attempt to create a new Phase-2 SA while there are outstanding iFCP sessions." That's a problem. If the other side is behaving in accordance with the next paragraph ...: "To minimize the number of active Phase-2 SAs, IKE Phase-2 delete messages may be sent for Phase-2 SAs whose TCP connections have not handled data traffic for a while. To minimize the use of SA resources while the associated TCP connections are idle, creation of a new SA may be deferred until new data is to be sent over the connections." ... and is deleting the Phase-2 SAs because it lacks the resources to support them, immediately creating a new Phase-2 SA in response to delete messages risks livelock (massive churn in Phase-2 SA creation/destruction). Creating a new Phase-2 SA in response to a Phase-2 delete message SHOULD be deferred until there is traffic to send over that SA. Accepted We shall be removing the misleading sentence "An iFCP Portal must instead attempt to create a new Phase-2 SA while there are outstanding iFCP sessions." and promote from may to SHOULD prior to the word 'deferred'. The resulting modified text is shown below: "Upon receiving an IKE Phase-2 delete message, there is no requirement to terminate the protected TCP connections or delete the associated IKE Phase-1 SA. Since an IKE Phase-2 SA may be associated with multiple TCP connections, terminating such connections might in fact be inappropriate and untimely. "To minimize the number of active Phase-2 SAs, IKE Phase-2 delete messages may be sent for Phase-2 SAs whose TCP connections have not handled data traffic for a while. To minimize the use of SA resources while the associated TCP connections are idle, creation of a new SA SHOULD be deferred until new data is to be sent over the connections." Comment 45. [T] Section A.2 - Link Services Processed Transparently "ACC Accept" Is that right? I thought this was intercepted in some cases, as indicated in Table 6. Response The ACC description will be modified to discriminate between the transparent and non-transparent cases. Comment 46. [T] Section A.2 - Link Services Processed Transparently FDISC Discover F_Port Service Parameters FLOGI F_Port Login RTV Read Timeout Value Definitely wrong - the iFCP gateway has to implement these itself as specified in Section 9.1. Accepted in Part Special link service messages are those which require intervention by an iFCP protocol implementation before they are passed to the destination N_PORT. Transparent link service messages are passed to the destination N_PORT without such intervention. In that regard, the above link services are processed transparently. The specification will be modified to make the above distinction clearer and the section will be re-titled as: "Link Services Processed Transparently by the iFCP layer". Comment 47. [T] Section A.2 - Link Services Processed Transparently LINIT Loop Initialize LPC Loop Port Control LSTS Loop Status SCL Scan Remote Loop I don't have time to check these, but I'm suspicious about whether anything that has "Loop" as part of its name can/should be forwarded transparently into an FC fabric, although SCL seems plausible. Please verify whether these are transparent. Response SCL must be processed as a special link service message. iFCP will be modified accordingly. The remaining link services listed above are transparent. Comment 48. [T] Section A.2 - Link Services Processed Transparently RSCN Registered State Change Notification SCN State Change Notification SCR State Change Registration Those can't be transparent, as Section 9.2 requires the iFCP gateway to implement them. Response See response to Comment 46.
Home Last updated: Tue May 07 15:18:27 2002 10002 messages in chronological order |