Re: [secdir] Secdir Review of draft-ietf-storm-iscsi-sam-06
<david.black@emc.com> Sun, 29 July 2012 06:00 UTC
Return-Path: <david.black@emc.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7917A21F861A; Sat, 28 Jul 2012 23:00:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.46
X-Spam-Level:
X-Spam-Status: No, score=-102.46 tagged_above=-999 required=5 tests=[AWL=0.139, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qSJhFtDjQrxB; Sat, 28 Jul 2012 23:00:37 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 8542E21F8609; Sat, 28 Jul 2012 23:00:36 -0700 (PDT)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q6T60Zjv005024 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 29 Jul 2012 02:00:35 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd01.lss.emc.com [10.254.221.251]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Sun, 29 Jul 2012 02:00:26 -0400
Received: from mxhub05.corp.emc.com (mxhub05.corp.emc.com [128.222.70.202]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q6T60MmG028331; Sun, 29 Jul 2012 02:00:22 -0400
Received: from mx15a.corp.emc.com ([169.254.1.189]) by mxhub05.corp.emc.com ([128.222.70.202]) with mapi; Sun, 29 Jul 2012 02:00:22 -0400
From: david.black@emc.com
To: alexey.melnikov@isode.com, secdir@ietf.org, iesg@ietf.org, draft-ietf-storm-iscsi-sam.all@tools.ietf.org
Date: Sun, 29 Jul 2012 02:00:20 -0400
Thread-Topic: Secdir Review of draft-ietf-storm-iscsi-sam-06
Thread-Index: Ac1qcQRshnoruYSaSS+tyb6GdrxeBQCsZBfQ
Message-ID: <8D3D17ACE214DC429325B2B98F3AE71208E7F85A@MX15A.corp.emc.com>
References: <50100124.4040403@isode.com>
In-Reply-To: <50100124.4040403@isode.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
X-Mailman-Approved-At: Sun, 29 Jul 2012 09:01:29 -0700
Cc: david.black@emc.com
Subject: Re: [secdir] Secdir Review of draft-ietf-storm-iscsi-sam-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Jul 2012 06:00:38 -0000
Hi Alexey, Thank you for this review. > One thing that > might be missing is some text about abuse of the priority field to > perform Denial-of-service or to gain better service. That would be a good security consideration to add. > The document can't decide which RFC for iSCSI it is referencing... Which > one should be used in the new IANA registries created? Part of what's going on here is that it's not possible to move the replaced RFCs to historic anytime soon, so RFC 3720 will be a reference for some iSCSI implementations for many years to come, and it is appropriate to reference it as the original specification of iSCSI. That said, I think you've found a couple of things that need attention: - I think a check of all the references is needed. One subtlety is that the -sam- draft is intended to also be usable with RFC 3720 and RFC 5048, but there should be more citations of the consolidated draft in the body of the -sam- draft. - A bunch of IANA text was added to the consolidated draft recently, and that includes instructions to IANA about what to reference in the registries. It looks like that set of changes wasn't carried over to the new "iSCSI Task Management Response Codes" registry. We'll get these sorted out - thank you for noticing this concern. > Repeating the list of Task Management Functions defined in another > document is not a good idea. What if another extension adds additional > functions? The primary IETF reference for that is actually an IANA registry, and that list is actually defined in SAM-2, a SCSI standard. Nonetheless, I believe that you're correct, that the list of existing Task Management Functions in Section 6.1 isn't needed. Thanks, --David > -----Original Message----- > From: Alexey Melnikov [mailto:alexey.melnikov@isode.com] > Sent: Wednesday, July 25, 2012 10:22 AM > To: secdir@ietf.org; iesg@ietf.org; draft-ietf-storm-iscsi- > sam.all@tools.ietf.org > Subject: Secdir Review of draft-ietf-storm-iscsi-sam-06 > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG. > These comments were written primarily for the benefit of the security > area directors. Document editors and WG chairs should treat these > comments just like any other last call comments. > > The iSCSI protocol as specified in [draft-ietf-storm-iscsi-cons-xx] (and > as previously specified by the combination of RFC 3720 and RFC 5048) is > based on the SAM-2 (SCSI Architecture Model - 2) version of the SCSI > family of protocols. This document defines enhancements to the iSCSI > protocol to support certain additional features of the SCSI protocol > that were defined in SAM-3, SAM-4, and SAM-5. In particular the document > adds: > > 1) Command Priority field > 2) Several new commands: > > 9 - QUERY TASK - determines if the command identified by the > Referenced Task Tag field is present in the task set. > > 10 - QUERY TASK SET - determine if any command is present in > the task set for the I_T_L Nexus on which the task management > function was received. > > 11 - I_T NEXUS RESET - perform an I_T nexus loss function (see > [SAM5]) for the I_T nexus on which the task management > function was received. > > 12 - QUERY ASYNCHRONOUS EVENT - determine if there is a unit > attention condition or a deferred error pending for the I_T_L > nexus on which the task management function was received. > > And a new response code that they use. > > The document sends readers to review Security Considerations from RFC > 3720. This is probably appropriate, as extensions added by this document > are minor and don't seem to change iSCSI model much. One thing that > might be missing is some text about abuse of the priority field to > perform Denial-of-service or to gain better service. > > Other comments on the document (consider them minor, but I think editors > should think about these): > > The document can't decide which RFC for iSCSI it is referencing... Which > one should be used in the new IANA registries created? > > Repeating the list of Task Management Functions defined in another > document is not a good idea. What if another extension adds additional > functions?
- [secdir] Secdir Review of draft-ietf-storm-iscsi-… Alexey Melnikov
- Re: [secdir] Secdir Review of draft-ietf-storm-is… david.black