Re: RE: FW: Redirection (was UNH Plugfest 5)

To: Black_David@emc.com, Julian_Satran@il.ibm.com

Subject: Re: RE: FW: Redirection (was UNH Plugfest 5)

From: Julian Satran <satran@haifasphere.co.il>

Date: Fri, 17 Jan 2003 18:38:05 +0200

CC: ips@ece.cmu.edu

Content-Type: multipart/mixed; boundary="----=____1042821485481_NDFj9,IU0-"

Reply-To: Julian_Satran@il.ibm.com

Sender: owner-ips@ece.cmu.edu

OK - Julo > > From: Black_David@emc.com > Date: 2003/01/17 Fri PM 04:21:47 GMT+02:00 > To: Julian_Satran@il.ibm.com > CC: ips@ece.cmu.edu > Subject: RE: FW: Redirection (was UNH Plugfest 5) > > I certainly don't want to forbid redirection w/o authentication. > "SHOULD be accepted during authentication" is ok, although we > should point out that there may be valid security concerns that > lead an administrator to do otherwise. > > Thanks, > --David > > -----Original Message----- > From: Julian Satran [mailto:Julian_Satran@il.ibm.com] > Sent: Friday, January 17, 2003 5:55 AM > To: Black_David@emc.com > Cc: ips@ece.cmu.edu; owner-ips@ece.cmu.edu > Subject: Re: FW: Redirection (was UNH Plugfest 5) > > > > > David, > > The only way to do it cleany the way you want it is to allow the redirect > response (0101 and 0102) only in operational parameter stage. > But that seems rather excessive. If we want to mandate a single way of > handling I would suggest stating that 0101 and 0102 > SHOULD be accepted even during authentication (Paul's POV). Again I don't > thing it adds anything as local policy may prevent an initiator from > considering those values. > > Julo > > > > > > Black_David@emc.com > Sent by: owner-ips@ece.cmu.edu > > > 17/01/03 01:11 > > > To > ips@ece.cmu.edu > > cc > > Subject > FW: Redirection (was UNH Plugfest 5) > > > > > > > Forwarding an off-list note on this topic - a SHOULD is useful > here to express a preference for which redirection mechanism > to use in the presence of authentication. I prefer the SHOULD > for redirection after authentication because rogue target attacks > are more dangerous to iSCSI than rogue initiator attacks because > the initiator authenticates first when using CHAP. Redirection > prior to authentication makes it easier to mount a rogue target > attack. > > Thanks, > --David > > -----Original Message----- > From: Paul Koning [mailto:pkoning@equallogic.com] > Sent: Thursday, January 16, 2003 3:57 PM > To: Black_David@emc.com > Cc: Julian_Satran@il.ibm.com > Subject: RE: Redirection (was UNH Plugfest 5) > > > >>>>> "Black" == Black David <Black_David@emc.com> writes: > > Black> The most I could see doing here would be: - In the absence of > Black> explicit administrative action, - If a target is contacted by > Black> an Initiator requesting SecurityNegotiation, - And the target > Black> would issue a redirect to that Initiator based on the target > Black> name the initiator is trying to contact, - Then the target > Black> SHOULD negotiate security before issuing the redirect. > > My preference is to swing the SHOULD in the other direction, because > there is no security issue in doing so. (In other words, if the > initiator requests security negotiation and the target replies with a > redirect, the initiator SHOULD accept that redirect as valid without a > full security negotiation.) But your proposal still serves to > strengthen the spec. > > paul > > > > >

I certainly don't want to forbid redirection w/o authentication.

"SHOULD be accepted during authentication" is ok, although we

should point out that there may be valid security concerns that

lead an administrator to do otherwise.

Thanks,

--David

-----Original Message-----
From: Julian Satran [mailto:Julian_Satran@il.ibm.com]
Sent: Friday, January 17, 2003 5:55 AM
To: Black_David@emc.com
Cc: ips@ece.cmu.edu; owner-ips@ece.cmu.edu
Subject: Re: FW: Redirection (was UNH Plugfest 5)

David,

The only way to do it cleany the way you want it is to allow the redirect response (0101 and 0102) only in operational parameter stage.
But that seems rather excessive. If we want to mandate a single way of handling I would suggest stating that 0101 and 0102
SHOULD be accepted even during authentication (Paul's POV). Again I don't thing it adds anything as local policy may prevent an initiator from
considering those values.

Julo

Black_David@emc.com
Sent by: owner-ips@ece.cmu.edu

17/01/03 01:11

To	ips@ece.cmu.edu
cc
Subject	FW: Redirection (was UNH Plugfest 5)

Forwarding an off-list note on this topic - a SHOULD is useful here to express a preference for which redirection mechanism to use in the presence of authentication. I prefer the SHOULD for redirection after authentication because rogue target attacks are more dangerous to iSCSI than rogue initiator attacks because the initiator authenticates first when using CHAP. Redirection prior to authentication makes it easier to mount a rogue target attack. Thanks, --David -----Original Message----- From: Paul Koning [mailto:pkoning@equallogic.com] Sent: Thursday, January 16, 2003 3:57 PM To: Black_David@emc.com Cc: Julian_Satran@il.ibm.com Subject: RE: Redirection (was UNH Plugfest 5) >>>>> "Black" == Black David <Black_David@emc.com> writes: Black> The most I could see doing here would be: - In the absence of Black> explicit administrative action, - If a target is contacted by Black> an Initiator requesting SecurityNegotiation, - And the target Black> would issue a redirect to that Initiator based on the target Black> name the initiator is trying to contact, - Then the target Black> SHOULD negotiate security before issuing the redirect. My preference is to swing the SHOULD in the other direction, because there is no security issue in doing so. (In other words, if the initiator requests security negotiation and the target replies with a redirect, the initiator SHOULD accept that redirect as valid without a full security negotiation.) But your proposal still serves to strengthen the spec. paul