RE: FW: Redirection (was UNH Plugfest 5)

To: "Paul Koning" <pkoning@equallogic.com>
Subject: RE: FW: Redirection (was UNH Plugfest 5)
From: "Rod Harrison" <rod.harrison@windriver.com>
Date: Sat, 18 Jan 2003 09:47:47 -0600
Cc: <Julian_Satran@il.ibm.com>, <Black_David@emc.com>, <ips@ece.cmu.edu>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;charset="us-ascii"
Importance: Normal
In-Reply-To: <15912.31941.797000.996861@gargle.gargle.HOWL>
Sender: owner-ips@ece.cmu.edu


I haven't seen this via the ips reflector, I guess it's having problems but
apologies if this reply is now out of date.

I still agree with Paul that we should choose a mechanism but I disagree the
options are equivalent, at least from the point of view of an admin trying to
figure what is going on.

Consider in the redirect before authentication case target A is impersonated by
A'. A' redirects to B' which redirects to A' etc. There is nothing in the spec
about how many redirects are valid, and of course implementations will impose
arbitrary upper limits but this sort of bouncing around is going to be hard to
debug. In the redirect after authentication case the admin sees a nice big red
box indicating authentication failed because A' doesn't have the appropriate
credentials. This seems more desirable to me.

Again, let me stress that I don't have a strong opinion about which way this
should go, only that it should be specified.

- Rod

-----Original Message-----
From: Paul Koning [mailto:pkoning@equallogic.com]
Sent: Friday, January 17, 2003 4:00 PM
To: rod.harrison@windriver.com
Cc: Julian_Satran@il.ibm.com; Black_David@emc.com; ips@ece.cmu.edu
Subject: RE: FW: Redirection (was UNH Plugfest 5)


>>>>> "Rod" == Rod Harrison <rod.harrison@windriver.com> writes:

 Rod> I agree with Paul that the spec should be specific on this. At
 Rod> this weeks plugfest none of the 16 companies present had the
 Rod> ability to configure this behaviour so the reality is the first
 Rod> set of products are going to go out hard coded in this manner
 Rod> and some are not going to interoperate. Right now many products
 Rod> are ready to go when the RFC is published and it's too late to
 Rod> rework GUIs, configuration databases and config app to device
 Rod> protocols. The result is going to be that authentication will be
 Rod> unusable with targets that redirect.

 Rod> I personally would like to see the spec say authentication MUST
 Rod> complete before redirection can occur, but like Paul I can
 Rod> accept either choice.

 Rod> A possible way out here is to go with the same approach chosen
 Rod> for the extension digests, that is mandate either redirection
 Rod> before or after authentication unless there has been explicit
 Rod> administrator intervention. That gives interoperability with
 Rod> implementations that can't configure this behaviour, and gives
 Rod> an out for those that want the choice the standard doesn't
 Rod> mandate if they are prepared to do the configuration work.

I hadn't considered that approach.  I'd prefer not to do this.  The
reason is that I see no reason for this behavior to be configured in
the first place.  There is no conceivable reason why an admin should
care about the way it is done; it simply must be done in a way that
works.  Either behavior is perfectly fine; either behavior has
equivalent security properties.

Putting a management knob on this feels like an admission that the
standards process is unable to make any decisions.

     paul

Prev by Date: RE: HeaderDigest, DataDigest, etc
Next by Date: iSCSI version 20 draft
Prev by thread: Re: RE: FW: Redirection (was UNH Plugfest 5)
Next by thread: iSCSI: End of Discussion
Index(es):
- Date
- Thread

Home

Last updated: Mon Jan 20 01:19:09 2003
12218 messages in chronological order