Re: iSCSI: Option Preference (was Login Proposal)
Sandeep Joshi <sandeepj@research.bell-labs.com> Wed, 22 August 2001 22:20 UTC
Received: from ece.cmu.edu (ECE.CMU.EDU [128.2.136.200]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA25265 for <ips-archive@odin.ietf.org>; Wed, 22 Aug 2001 18:20:42 -0400 (EDT)
Received: (from majordom@localhost) by ece.cmu.edu (8.11.0/8.10.2) id f7MLnWe24685 for ips-outgoing; Wed, 22 Aug 2001 17:49:32 -0400 (EDT)
X-Authentication-Warning: ece.cmu.edu: majordom set sender to owner-ips@ece.cmu.edu using -f
Received: from crufty.research.bell-labs.com (crufty.research.bell-labs.com [204.178.16.49]) by ece.cmu.edu (8.11.0/8.10.2) with SMTP id f7MLnUe24679 for <ips@ece.cmu.edu>; Wed, 22 Aug 2001 17:49:30 -0400 (EDT)
Received: from grubby.research.bell-labs.com ([135.104.2.9]) by crufty; Wed Aug 22 17:44:49 EDT 2001
Received: from aura.research.bell-labs.com ([135.104.46.10]) by grubby; Wed Aug 22 17:48:49 EDT 2001
Received: from research.bell-labs.com (IDENT:sandeepj@sandeepj-pcmh.research.bell-labs.com [135.104.47.90]) by aura.research.bell-labs.com (8.9.1/8.9.1) with ESMTP id RAA06388; Wed, 22 Aug 2001 17:48:17 -0400 (EDT)
Message-ID: <3B8428A1.B7F0AB5A@research.bell-labs.com>
Date: Wed, 22 Aug 2001 17:48:17 -0400
From: Sandeep Joshi <sandeepj@research.bell-labs.com>
X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: Steve Senum <ssenum@cisco.com>
CC: ietf-ips <ips@ece.cmu.edu>
Subject: Re: iSCSI: Option Preference (was Login Proposal)
References: <6BD67FFB937FD411A04F00D0B74FE87802A0925E@xrose06.rose.hp.com> <3B842289.D34268CD@cisco.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ips@ece.cmu.edu
Precedence: bulk
Content-Transfer-Encoding: 7bit
Steve, That would be the initiator's preference...accept a "none" or drop the connection. Marjorie's point is that conceptually user/IIN authentication would be controlled by the target (i.e. the server). Once the endpoints are authenticated (e.g. by IPSec), then ITN/IIN authentication will be driven by the server (target) This is analogous to a RAS scenario in ipsra, http://www.ietf.org/internet-drafts/draft-ietf-ipsra-reqmts-03.txt) ( umm..please dont extend this analogy too far :-) ) regards, -Sandeep Steve Senum wrote: > > I disagree, at least somewhat. > > If the Initiator sends AuthMethod=SRP,CHAP,none and > the Target returns AuthMethod=none, the Initiator > could still choose to abort the connection if > it was configured to require authentication. > I believe either or both sides can dictate the > security environment. > > Steve Senum > > "KRUEGER,MARJORIE (HP-Roseville,ex1)" wrote: > > > > I meant only to point out that it's the target that must dictate the > > security environment, not the initiator. The initiator is only > > communicating a preference. So yes, I agree with you, but Ron's comment was > > > > > > I expect this to be under the control of the sys admin > > > > through some kind of config at the initiator side. I think a > > > > good guide to keep in mind with all this is that it is the > > > > initiator's data, and so it seems reasonable to let the > > > > initiator control connection security and integrity. > > > > and I'm thinking it's the other way around. The initiator has a role, but > > it is the requestor of a service, not the "server" hence the target really > > controls security. Of course, ultimately, the system admin controls > > everything, but we don't get to write his/her "protocol" :-) > > > > Marjorie Krueger > > Networked Storage Architecture > > Networked Storage Solutions Org. > > Hewlett-Packard > > tel: +1 916 785 2656 > > fax: +1 916 785 0391 > > email: marjorie_krueger@hp.com > > > > > -----Original Message----- > > > From: Wheat, Stephen R [mailto:stephen.r.wheat@intel.com] > > > Sent: Wednesday, August 22, 2001 11:02 AM > > > To: ietf-ips > > > Subject: RE: iSCSI: Login Proposal > > > > > > > > > Marjorie, > > > > > > I agree with your premise that the target must be allowed to > > > not just let > > > anyone in. > > > > > > But why isn't this already covered by the ability of the sys admin to > > > configure the target to only agree to certain offerings? Quoting from > > > 1.2.4, with my > > > emphasis, > > > "The responding party answers with the first value from the list it > > > supports and > > > is **allowed** to use for the specific initiator." > > > > > > > > > For some network interfaces, > > > the sys admin could rely upon physical security and other > > > means inherent to > > > the > > > environment. In such cases, the admin could configure the > > > target to follow > > > the > > > initiator's preferences, including "none". > > > > > > For other network interfaces where the environment is not inherently > > > trusted, > > > the sysadmin would be motivated to not allow the target to > > > connect without any authentication; so they'd set it up to not accept > > > "none", even > > > though the initiator may prefer "none". > > > > > > Yes? > > > > > > Stephen > > > > > > -----Original Message----- > > > From: KRUEGER,MARJORIE (HP-Roseville,ex1) > > > [mailto:marjorie_krueger@hp.com] > > > Sent: Wednesday, August 22, 2001 10:47 AM > > > To: 'Rod Harrison'; ietf-ips > > > Subject: RE: iSCSI: Login Proposal > > > > > > > > > I'm thinking a little differently regarding which party has > > > priority in > > > chosing security parameters - while it *may* be the > > > initiators data, this > > > can't be established until the initiator is authenticated. > > > Since the target > > > is the "server" side, I think the burden is on the target to > > > ensure that > > > this is the intended initiator. Therefore, the target must > > > dictate the > > > authentication method used, since it has the security > > > responsibility and the > > > "contact point" for potentially malicious entities. Consider > > > the example > > > where an initiator was previously authenticated using > > > Kerberos, the session > > > was ended, and a new session is requested by what appears to > > > be the same > > > initiator, but the authmethod requested is now "none". Looks pretty > > > suspicious to me. It seems to me like the target has the > > > responsibility of > > > maintaining a consistent authmethod with all initiators that > > > access it, > > > therefore the target MUST force the minimum level > > > authorization it requires > > > or reject the login request. > > > > > > Marjorie Krueger > > > Networked Storage Architecture > > > Networked Storage Solutions Org. > > > Hewlett-Packard > > > tel: +1 916 785 2656 > > > fax: +1 916 785 0391 > > > email: marjorie_krueger@hp.com > > > > > > > -----Original Message----- > > > > From: Rod Harrison [mailto:rod.harrison@windriver.com] > > > > Sent: Wednesday, August 22, 2001 4:58 AM > > > > To: Wheat, Stephen R; 'Steve Senum'; ietf-ips > > > > Subject: RE: iSCSI: Login Proposal > > > > > > > > > > > > > > > > I think we should view this as the order indicates the > > > > initiators preference and the target SHOULD pick the first > > > > item from the list it supports. Note that SHOULD allows the > > > > target to do something other than pick the first item it > > > > supports if it has a good reason to do so, e.g. If it would > > > > otherwise terminate the session. The initiator can always > > > > terminate the session if it doesn't like what the target > > > > chooses. > > > > > > > > So, to extend your example, as an initiator if I didn't > > > > want to do CHAP at all I would send ... > > > > > > > > AuthMethod=none > > > > > > > > if I preferred not to do CHAP but I could tolerate it I > > > > would send ... > > > > > > > > AuthMethod=none,CHAP > > > > > > > > and if I would prefer CHAP I would send ... > > > > > > > > AuthMethod=CHAP,none > > > > > > > > I expect this to be under the control of the sys admin > > > > through some kind of config at the initiator side. I think a > > > > good guide to keep in mind with all this is that it is the > > > > initiator's data, and so it seems reasonable to let the > > > > initiator control connection security and integrity. > > > > > > > > - Rod > > > > > > > > > >
- RE: iSCSI: Login Proposal BURBRIDGE,MATTHEW (HP-UnitedKingdom,ex2)
- RE: iSCSI: Login Proposal Barry Reinhold
- RE: iSCSI: Login Proposal KRUEGER,MARJORIE (HP-Roseville,ex1)
- RE: iSCSI: Login Proposal KRUEGER,MARJORIE (HP-Roseville,ex1)
- RE: iSCSI: Login Proposal Wheat, Stephen R
- Re: iSCSI: Option Preference (was Login Proposal) Steve Senum
- Re: iSCSI: Login Proposal Julian Satran
- Re: iSCSI: Login Proposal Steve Senum
- Re: iSCSI: Login Proposal Steve Senum
- RE: iSCSI: Login Proposal Wheat, Stephen R
- Re: iSCSI: Option Preference (was Login Proposal) Sandeep Joshi
- RE: iSCSI: Login Proposal BURBRIDGE,MATTHEW (HP-UnitedKingdom,ex2)
- Re: iSCSI: Login Proposal Steve Senum
- Re: iSCSI: Option Preference (was Login Proposal) Steve Senum
- RE: iSCSI: Login Proposal Wheat, Stephen R
- RE: iSCSI: Login Proposal Rod Harrison
- RE: iSCSI: Login Proposal Julian Satran
- RE: iSCSI: Login Proposal BURBRIDGE,MATTHEW (HP-UnitedKingdom,ex2)
- RE: iSCSI: Login Proposal Wheat, Stephen R
- RE: iSCSI: Login Proposal Black_David
- RE: iSCSI: Login Proposal Wheat, Stephen R