Re: [storm] iSCSI consolidated draft: Authentication consistency
"Black, David" <david.black@emc.com> Sun, 10 March 2013 02:47 UTC
Return-Path: <david.black@emc.com>
X-Original-To: storm@ietfa.amsl.com
Delivered-To: storm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CC5521F86C5 for <storm@ietfa.amsl.com>; Sat, 9 Mar 2013 18:47:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.474
X-Spam-Level:
X-Spam-Status: No, score=-102.474 tagged_above=-999 required=5 tests=[AWL=0.125, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xsxeVF0hPP6B for <storm@ietfa.amsl.com>; Sat, 9 Mar 2013 18:47:49 -0800 (PST)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 378C321F85B3 for <storm@ietf.org>; Sat, 9 Mar 2013 18:47:48 -0800 (PST)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2A2liMR019980 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 9 Mar 2013 21:47:44 -0500
Received: from mailhub.lss.emc.com (mailhubhoprd01.lss.emc.com [10.254.221.251]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Sat, 9 Mar 2013 21:47:24 -0500
Received: from mxhub14.corp.emc.com (mxhub14.corp.emc.com [128.222.70.235]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2A2lNxG002209; Sat, 9 Mar 2013 21:47:23 -0500
Received: from mx15a.corp.emc.com ([169.254.1.118]) by mxhub14.corp.emc.com ([128.222.70.235]) with mapi; Sat, 9 Mar 2013 21:47:22 -0500
From: "Black, David" <david.black@emc.com>
To: Julian Satran <julian@satran.net>
Date: Sat, 09 Mar 2013 21:47:19 -0500
Thread-Topic: [storm] iSCSI consolidated draft: Authentication consistency
Thread-Index: Ac3os+HYVjBqBOCTS6qVf02vkTTaSg0hXI2Q
Message-ID: <8D3D17ACE214DC429325B2B98F3AE71290DCD889@MX15A.corp.emc.com>
References: <8D3D17ACE214DC429325B2B98F3AE71287DB21EE@MX15A.corp.emc.com> <536D99C2-EBD3-43B2-BE47-9F53E945FBBC@satran.net>
In-Reply-To: <536D99C2-EBD3-43B2-BE47-9F53E945FBBC@satran.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Cc: "storm@ietf.org" <storm@ietf.org>
Subject: Re: [storm] iSCSI consolidated draft: Authentication consistency
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Mar 2013 02:47:50 -0000
Julo, As long as that's only a suggestion (MAY, nothing stronger), that's fine w/me, although the original design rationale for the shorter identities was to allow (re)use of identities already in authentication systems. Thanks, --David > -----Original Message----- > From: Julian Satran [mailto:julian@satran.net] > Sent: Wednesday, January 02, 2013 1:39 AM > To: Black, David > Cc: storm@ietf.org > Subject: Re: [storm] iSCSI consolidated draft: Authentication consistency > Importance: High > > WRT 1 - I always thought that the iSCSI name is/will-become the authenticated > identity and the "tiny bit-strings" used in some communities will become a > thing of the past - or at best will serve as temporary identifiers (something > like short addresses). However if we want to accommodate them we should > suggest a way of deriving the authenticated identity from the name - e.g., a > hash - that binds them for good. The target may/should verify that the > authenticated identity used in the protocol is correct. Obviously that > assumes that authentication identities are small string that can be > "allocated" arbitrarily - i.e. have no purposeful structure. > > Julo > On Jan 2, 2013, at 3:48 AM, "Black, David" <david.black@emc.com> wrote: > > > <WG Chair hat OFF> > > > > This email is sent as the shepherd for the iSCSI consolidated draft. > > > > Security review has turned up a couple of issues in iSCSI in-band > > authentication. I want to summarize them for discussion before the > > effort is invested in writing detailed text. > > > > I believe that good implementers will get these right, but some > > security text appears to be needed. This is not supposed to affect > > existing implementations, so please speak up if something appears > > potentially problematic. > > > > (1) iSCSI name association with authenticated identity. The iSCSI name > > is for the initiator or target (e.g., iqn.*); the authenticated identity > > is the identity used in the inband authentication protocol (e.g., CHAP > > name). > > > > This concern is about how the identity used for authentication aligns with > > the iSCSI name for the initiator or target. Abstractly, the concern is > > that someone has to check that Bob is the authenticated identity for an > iSCSI > > initiator that's accessing Bob's storage, otherwise Alice can claim to be > > Bob's initiator (iSCSI name) authenticate as herself (Alice as > authentication > > identity) and then freely access Bob's storage, which would be bad. > > > > The draft doesn't say much about this, in large part because iSCSI names > > are not exactly friendly to existing authentication infrastructure, and > > the original design intent was to allow flexibility in identities used with > > authentication infrastructure. > > > > Proposal: The draft needs to say something - that something might be to say > > that implementations SHOULD be managing authentication so that > > impersonation is not possible across iSCSI Names. The preferred approach > > (SHOULD) would be to manage authentication material as triples: > > - iSCSI Name > > - Authentication identity for that name > > - Authentication credentials for that identity > > In this case, the name-identity relationship SHOULD be checked in addition > > to the authentication of the identity. This check is simple if the identity > > and name are the same, or the identity is algorithmically derived from the > > name. > > > > I can think of ways to bind credentials directly to an iSCSI Name, where > > the identity is a bystander, although this is a particularly bad idea for > > CHAP, as it will have rather unfortunate results when used with an external > > server (e.g., RADIUS) that gets the authentication identity, but not the > > iSCSI name, making this a "SHOULD NOT" requirement with a warning about > > external authentication servers that don't see the iSCSI Names. > > > > (2) Authentication consistency for multi-connection sessions. > > > > When an iSCSI session has multiple connections, either concurrently, or > > sequentially (e.g., TCP connection fails, new connection created to recover > > the session), it's important that the same initiator be involved in all > > the connections, *and* that the initiator authenticate as itself every > > time. There are several pieces to this: > > - Authentication SHOULD be consistently used across a session. It's > > not a good idea to mix authenticated and unauthenticated connections > > in the same session. Mixing authentication mechanisms is probably > > ok, if someone wants to do that, so it may not need to be mentioned. > > - The authentication of the iSCSI Name SHOULD be consistent across a > session, > > preferably by using the same authentication identity. In the end, > > it's the iSCSI Name that matters, and the same authentication > > identity (see "triples" above) is the simplest way to get there. > > > > > > Thanks, > > --David > > ---------------------------------------------------- > > David L. Black, Distinguished Engineer > > EMC Corporation, 176 South St., Hopkinton, MA 01748 > > +1 (508) 293-7953 FAX: +1 (508) 293-7786 > > david.black@emc.com Mobile: +1 (978) 394-7754 > > ---------------------------------------------------- > > > > _______________________________________________ > > storm mailing list > > storm@ietf.org > > https://www.ietf.org/mailman/listinfo/storm >
- [storm] iSCSI consolidated draft: Authentication … Black, David
- Re: [storm] iSCSI consolidated draft: Authenticat… Julian Satran
- Re: [storm] iSCSI consolidated draft: Authenticat… Black, David
- Re: [storm] iSCSI consolidated draft: Authenticat… Black, David
- Re: [storm] iSCSI consolidated draft: Authenticat… Mallikarjun Chadalapaka