IETF Logo Mail Archive

Re: [storm] iSCSI consolidated draft: Authentication consistency

"Black, David" <david.black@emc.com> Sun, 10 March 2013 02:47 UTC

Return-Path: <david.black@emc.com>
X-Original-To: storm@ietfa.amsl.com
Delivered-To: storm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CC5521F86C5 for <storm@ietfa.amsl.com>; Sat, 9 Mar 2013 18:47:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.474
X-Spam-Level:
X-Spam-Status: No, score=-102.474 tagged_above=-999 required=5 tests=[AWL=0.125, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xsxeVF0hPP6B for <storm@ietfa.amsl.com>; Sat, 9 Mar 2013 18:47:49 -0800 (PST)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 378C321F85B3 for <storm@ietf.org>; Sat, 9 Mar 2013 18:47:48 -0800 (PST)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2A2liMR019980 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 9 Mar 2013 21:47:44 -0500
Received: from mailhub.lss.emc.com (mailhubhoprd01.lss.emc.com [10.254.221.251]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Sat, 9 Mar 2013 21:47:24 -0500
Received: from mxhub14.corp.emc.com (mxhub14.corp.emc.com [128.222.70.235]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2A2lNxG002209; Sat, 9 Mar 2013 21:47:23 -0500
Received: from mx15a.corp.emc.com ([169.254.1.118]) by mxhub14.corp.emc.com ([128.222.70.235]) with mapi; Sat, 9 Mar 2013 21:47:22 -0500
From: "Black, David" <david.black@emc.com>
To: Julian Satran <julian@satran.net>
Date: Sat, 09 Mar 2013 21:47:19 -0500
Thread-Topic: [storm] iSCSI consolidated draft: Authentication consistency
Thread-Index: Ac3os+HYVjBqBOCTS6qVf02vkTTaSg0hXI2Q
Message-ID: <8D3D17ACE214DC429325B2B98F3AE71290DCD889@MX15A.corp.emc.com>
References: <8D3D17ACE214DC429325B2B98F3AE71287DB21EE@MX15A.corp.emc.com> <536D99C2-EBD3-43B2-BE47-9F53E945FBBC@satran.net>
In-Reply-To: <536D99C2-EBD3-43B2-BE47-9F53E945FBBC@satran.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Cc: "storm@ietf.org" <storm@ietf.org>
Subject: Re: [storm] iSCSI consolidated draft: Authentication consistency
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Mar 2013 02:47:50 -0000

Julo,

As long as that's only a suggestion (MAY, nothing stronger), that's
fine w/me, although the original design rationale for the shorter
identities was to allow (re)use of identities already in authentication
systems.

Thanks,
--David


> -----Original Message-----
> From: Julian Satran [mailto:julian@satran.net]
> Sent: Wednesday, January 02, 2013 1:39 AM
> To: Black, David
> Cc: storm@ietf.org
> Subject: Re: [storm] iSCSI consolidated draft: Authentication consistency
> Importance: High
> 
> WRT 1 - I always thought that the iSCSI name is/will-become the authenticated
> identity and the "tiny bit-strings" used in some communities will become a
> thing of the past - or at best will serve as temporary identifiers (something
> like short addresses).  However if we want to accommodate them  we should
> suggest a way of deriving the authenticated identity from the name - e.g., a
> hash - that binds them for good. The target may/should verify that the
> authenticated identity used in the protocol is  correct.  Obviously that
> assumes that authentication identities are small string that can be
> "allocated" arbitrarily - i.e. have no purposeful structure.
> 
> Julo
> On Jan 2, 2013, at 3:48 AM, "Black, David" <david.black@emc.com> wrote:
> 
> > <WG Chair hat OFF>
> >
> > This email is sent as the shepherd for the iSCSI consolidated draft.
> >
> > Security review has turned up a couple of issues in iSCSI in-band
> > authentication.  I want to summarize them for discussion before the
> > effort is invested in writing detailed text.
> >
> > I believe that good implementers will get these right, but some
> > security text appears to be needed.  This is not supposed to affect
> > existing implementations, so please speak up if something appears
> > potentially problematic.
> >
> > (1) iSCSI name association with authenticated identity.  The iSCSI name
> > is for the initiator or target (e.g., iqn.*); the authenticated identity
> > is the identity used in the inband authentication protocol (e.g., CHAP
> > name).
> >
> > This concern is about how the identity used for authentication aligns with
> > the iSCSI name for the initiator or target.  Abstractly, the concern is
> > that someone has to check that Bob is the authenticated identity for an
> iSCSI
> > initiator that's accessing Bob's storage, otherwise Alice can claim to be
> > Bob's initiator (iSCSI name) authenticate as herself (Alice as
> authentication
> > identity) and then freely access Bob's storage, which would be bad.
> >
> > The draft doesn't say much about this, in large part because iSCSI names
> > are not exactly friendly to existing authentication infrastructure, and
> > the original design intent was to allow flexibility in identities used with
> > authentication infrastructure.
> >
> > Proposal: The draft needs to say something - that something might be to say
> > that implementations SHOULD be managing authentication so that
> > impersonation is not possible across iSCSI Names.  The preferred approach
> > (SHOULD) would be to manage authentication material as triples:
> > 	- iSCSI Name
> > 	- Authentication identity for that name
> > 	- Authentication credentials for that identity
> > In this case, the name-identity relationship SHOULD be checked in addition
> > to the authentication of the identity.  This check is simple if the identity
> > and name are the same, or the identity is algorithmically derived from the
> > name.
> >
> > I can think of ways to bind credentials directly to an iSCSI Name, where
> > the identity is a bystander, although this is a particularly bad idea for
> > CHAP, as it will have rather unfortunate results when used with an external
> > server (e.g., RADIUS) that gets the authentication identity, but not the
> > iSCSI name, making this a "SHOULD NOT" requirement with a warning about
> > external authentication servers that don't see the iSCSI Names.
> >
> > (2) Authentication consistency for multi-connection sessions.
> >
> > When an iSCSI session has multiple connections, either concurrently, or
> > sequentially (e.g., TCP connection fails, new connection created to recover
> > the session), it's important that the same initiator be involved in all
> > the connections, *and* that the initiator authenticate as itself every
> > time.  There are several pieces to this:
> > - Authentication SHOULD be consistently used across a session. It's
> > 	not a good idea to mix authenticated and unauthenticated connections
> > 	in the same session.  Mixing authentication mechanisms is probably
> > 	ok, if someone wants to do that, so it may not need to be mentioned.
> > - The authentication of the iSCSI Name SHOULD be consistent across a
> session,
> > 	preferably by using the same authentication identity.  In the end,
> > 	it's the iSCSI Name that matters, and the same authentication
> > 	identity (see "triples" above) is the simplest way to get there.
> >
> >
> > Thanks,
> > --David
> > ----------------------------------------------------
> > David L. Black, Distinguished Engineer
> > EMC Corporation, 176 South St., Hopkinton, MA  01748
> > +1 (508) 293-7953             FAX: +1 (508) 293-7786
> > david.black@emc.com        Mobile: +1 (978) 394-7754
> > ----------------------------------------------------
> >
> > _______________________________________________
> > storm mailing list
> > storm@ietf.org
> > https://www.ietf.org/mailman/listinfo/storm
>

v2.23.0 | Report a Bug | By Email