|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: FW: Redirection (was UNH Plugfest 5)David, The only way to do it cleany the way you want it is to allow the redirect response (0101 and 0102) only in operational parameter stage. But that seems rather excessive. If we want to mandate a single way of handling I would suggest stating that 0101 and 0102 SHOULD be accepted even during authentication (Paul's POV). Again I don't thing it adds anything as local policy may prevent an initiator from considering those values. Julo
Forwarding an off-list note on this topic - a SHOULD is useful here to express a preference for which redirection mechanism to use in the presence of authentication. I prefer the SHOULD for redirection after authentication because rogue target attacks are more dangerous to iSCSI than rogue initiator attacks because the initiator authenticates first when using CHAP. Redirection prior to authentication makes it easier to mount a rogue target attack. Thanks, --David -----Original Message----- From: Paul Koning [mailto:pkoning@equallogic.com] Sent: Thursday, January 16, 2003 3:57 PM To: Black_David@emc.com Cc: Julian_Satran@il.ibm.com Subject: RE: Redirection (was UNH Plugfest 5) >>>>> "Black" == Black David <Black_David@emc.com> writes: Black> The most I could see doing here would be: - In the absence of Black> explicit administrative action, - If a target is contacted by Black> an Initiator requesting SecurityNegotiation, - And the target Black> would issue a redirect to that Initiator based on the target Black> name the initiator is trying to contact, - Then the target Black> SHOULD negotiate security before issuing the redirect. My preference is to swing the SHOULD in the other direction, because there is no security issue in doing so. (In other words, if the initiator requests security negotiation and the target replies with a redirect, the initiator SHOULD accept that redirect as valid without a full security negotiation.) But your proposal still serves to strengthen the spec. paul
Home Last updated: Fri Jan 17 15:19:01 2003 12212 messages in chronological order |