SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME

    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: iSCSI: keys/parameter dependence

    Bob Russell,

I think allowing keys to be distributed over several PDUs
breaks the curent CHAP authentication sequence.  Consider:

    I->T: CHAP_A=<A1,A2...>

    T->I: CHAP_A=<A> CHAP_I=<I> CHAP_C=<C>

    I->T: CHAP_N=<N> CHAP_R=<R>
    OR
    I->T: CHAP_N=<N> CHAP_R=<R> CHAP_I=<I> CHAP_C=<C>

The target does not know how many keys to expect,
so it would not know when the step is complete.

I don't really see the point of allowing this anyway,
as the user can already spread keys out over several PDUs
with the C (Continue) bit.

I would however like to the see the key ordering issue
clarified in the final edit, if possible.

Regards,
Steve Senum

"Robert D. Russell" wrote:
> 
> Julian:
> 
> > I agree that the wording for 1 that you suggest is better than the current
> > text and If I will have a chance I will do it (during the last correction
> > pass of the RFC editor - called 48 Hours). For your second point  things
> > are more complex and we will probably have to live with the current text.
> 
> No problem -- sorry we didn't discover it sooner.
> 
> Although this will probably not get into the draft,
> could you confirm (or not) my interpretation of what
> a "step" is in the context of an authentication exchange,
> and also could you confirm (or not) my interpretation of
> how these keys can be distributed over several pdus
> (as in the examples I cited)?  Your confirmation would
> be extremely useful to us in constructing
> conformance and interoperability tests.
> 
> Thanks again,
> Bob Russell
> 
> >
> >
> >
> > "Robert D. Russell" <rdr@io.iol.unh.edu>
> > 27/01/03 21:43
> >
> > To
> > Julian Satran/Haifa/IBM@IBMIL, "" <ips@ece.cmu.edu>
> > cc
> >
> > Subject
> > RE: iSCSI: keys/parameter dependence
> >
> >
> >
> >
> >
> >
> > Julian:
> >
> > A request for clarification on some wording in the current standard
> > (draft 20).
> >
> > 1.  In section 5 on page 50, in the 4th paragraph (the one starting:
> >         "For the keys that require negotiation ...")
> >     the second sentence says:
> >         "The other party (the accepting party) makes a selection
> >         based on the value or list of values proposed and includes
> >         the selected value in a key=value in the data part of the
> >         following Login or Text Response or Request."
> >
> >     The problem is with the word "following".  A very long discussion
> >     on the mailing list last June, under the thread
> >         "iSCSI: keys/parameter dependence"
> >     made it clear that the reply key=value to an offer does not have
> >     to be given in the immediately following response pdu, but can be
> >     delayed until some later time before the end of the negotiation
> >     stage.  In other words, responses can be saved up and "batched"
> >     in a later response pdu.
> >
> >     Therefore, I believe this intent would be better conveyed if the
> >     words:
> >         "in the data part of the following Login or Text Response or
> >         Request"
> >     in the current text on page 50 quoted above were changed to:
> >         "in the data part of one of the following Login or Text
> >                              ^^^^^^
> >         Responses or Requests"
> >                 ^           ^
> >
> >
> > 2.  There is a similar problem with some wording in section 8.2, in
> >     the fourth paragraph (the one starting with "Section 11 ...").
> >     The discussion in this paragraph talks about "steps", and
> >     "exact steps", without defining what a "step" is, and I believe
> >     this may need some clarification.
> >
> >     Looking at section 11.1.4, the first step is taken by the initiator
> >     when it sends:
> >         CHAP_A=<A1,A2...>
> >     to the target.
> >     The second step is taken by the target when it answers with a
> >     Login reject or with:
> >         CHAP_A=<A> CHAP_I=<I> CHAP_C=<C>
> >
> >
> >     It is my understanding that in the second step, these 3 keys could
> >     be sent by the target in any order, for example:
> >         CHAP_C=<C> CHAP_I=<I> CHAP_A=<A>
> >     and further, that they could be sent in separate pdus -- that
> >     is, the target could send
> >         CHAP_C=<C>
> >     in one Login Response pdu,
> >         CHAP_A=<A>
> >     in the next Login Response pdu, and finally
> >         CHAP_I=<I>
> >     in the final Login Response pdu.  All these pdus would belong
> >     to the same step, and the step would not be completed until
> >     all the keys had been received, regardless of the number of
> >     pdus that had to be exchanged to achieve this.
> >
> >     Is this the correct interpretation of a "step"?
> >
> >     And are the example exchanges shown above correct
> >     implementations of the first and second "steps"?
> >
> >     Perhaps it would be clearer if the word "step" were actually
> >     used in section 11.1.4.  For example, it could say:
> >
> >         "For CHAP {RFC1994], in the first step, the initiator
> >         sends:
> >             CHAP_A=<A1,A2...>"
> >
> >         "In the second step, the target MUST answer with .. "
> >
> >         "In the third step, the initiator MUST continue with ..."
> >
> >     I believe it is already clear from the wording in section 8.2
> >     that a new step cannot be started until the previous step is
> >     completed.
> >
> >
> > Thank you for your consideration.
> >
> > Bob Russell
> > InterOperability Lab
> > University of New Hampshire
> > rdr@iol.unh.edu
> > 603-862-3774
> >
> >

Home

Last updated: Tue Jan 28 22:19:02 2003
12270 messages in chronological order