[storm] iSCSI consolidated draft: Authentication consistency
"Black, David" <david.black@emc.com> Wed, 02 January 2013 01:49 UTC
Return-Path: <david.black@emc.com>
X-Original-To: storm@ietfa.amsl.com
Delivered-To: storm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 480B621E8041 for <storm@ietfa.amsl.com>; Tue, 1 Jan 2013 17:49:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.788
X-Spam-Level:
X-Spam-Status: No, score=-102.788 tagged_above=-999 required=5 tests=[AWL=-0.189, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fGdmDJnq6iCa for <storm@ietfa.amsl.com>; Tue, 1 Jan 2013 17:49:14 -0800 (PST)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 923B921E8030 for <storm@ietf.org>; Tue, 1 Jan 2013 17:49:14 -0800 (PST)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r021nDGs015602 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <storm@ietf.org>; Tue, 1 Jan 2013 20:49:13 -0500
Received: from mailhub.lss.emc.com (mailhubhoprd02.lss.emc.com [10.254.221.253]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor) for <storm@ietf.org>; Tue, 1 Jan 2013 20:48:55 -0500
Received: from mxhub06.corp.emc.com (mxhub06.corp.emc.com [128.222.70.203]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r021mtJB003741 for <storm@ietf.org>; Tue, 1 Jan 2013 20:48:55 -0500
Received: from mx15a.corp.emc.com ([169.254.1.210]) by mxhub06.corp.emc.com ([128.222.70.203]) with mapi; Tue, 1 Jan 2013 20:48:55 -0500
From: "Black, David" <david.black@emc.com>
To: "storm@ietf.org" <storm@ietf.org>
Importance: high
X-Priority: 1
Date: Tue, 01 Jan 2013 20:48:54 -0500
Thread-Topic: iSCSI consolidated draft: Authentication consistency
Thread-Index: Ac3oi1IpMQZhkYNmRzWn/pFNQF3Jtg==
Message-ID: <8D3D17ACE214DC429325B2B98F3AE71287DB21EE@MX15A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Subject: [storm] iSCSI consolidated draft: Authentication consistency
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jan 2013 01:49:15 -0000
<WG Chair hat OFF> This email is sent as the shepherd for the iSCSI consolidated draft. Security review has turned up a couple of issues in iSCSI in-band authentication. I want to summarize them for discussion before the effort is invested in writing detailed text. I believe that good implementers will get these right, but some security text appears to be needed. This is not supposed to affect existing implementations, so please speak up if something appears potentially problematic. (1) iSCSI name association with authenticated identity. The iSCSI name is for the initiator or target (e.g., iqn.*); the authenticated identity is the identity used in the inband authentication protocol (e.g., CHAP name). This concern is about how the identity used for authentication aligns with the iSCSI name for the initiator or target. Abstractly, the concern is that someone has to check that Bob is the authenticated identity for an iSCSI initiator that's accessing Bob's storage, otherwise Alice can claim to be Bob's initiator (iSCSI name) authenticate as herself (Alice as authentication identity) and then freely access Bob's storage, which would be bad. The draft doesn't say much about this, in large part because iSCSI names are not exactly friendly to existing authentication infrastructure, and the original design intent was to allow flexibility in identities used with authentication infrastructure. Proposal: The draft needs to say something - that something might be to say that implementations SHOULD be managing authentication so that impersonation is not possible across iSCSI Names. The preferred approach (SHOULD) would be to manage authentication material as triples: - iSCSI Name - Authentication identity for that name - Authentication credentials for that identity In this case, the name-identity relationship SHOULD be checked in addition to the authentication of the identity. This check is simple if the identity and name are the same, or the identity is algorithmically derived from the name. I can think of ways to bind credentials directly to an iSCSI Name, where the identity is a bystander, although this is a particularly bad idea for CHAP, as it will have rather unfortunate results when used with an external server (e.g., RADIUS) that gets the authentication identity, but not the iSCSI name, making this a "SHOULD NOT" requirement with a warning about external authentication servers that don't see the iSCSI Names. (2) Authentication consistency for multi-connection sessions. When an iSCSI session has multiple connections, either concurrently, or sequentially (e.g., TCP connection fails, new connection created to recover the session), it's important that the same initiator be involved in all the connections, *and* that the initiator authenticate as itself every time. There are several pieces to this: - Authentication SHOULD be consistently used across a session. It's not a good idea to mix authenticated and unauthenticated connections in the same session. Mixing authentication mechanisms is probably ok, if someone wants to do that, so it may not need to be mentioned. - The authentication of the iSCSI Name SHOULD be consistent across a session, preferably by using the same authentication identity. In the end, it's the iSCSI Name that matters, and the same authentication identity (see "triples" above) is the simplest way to get there. Thanks, --David ---------------------------------------------------- David L. Black, Distinguished Engineer EMC Corporation, 176 South St., Hopkinton, MA 01748 +1 (508) 293-7953 FAX: +1 (508) 293-7786 david.black@emc.com Mobile: +1 (978) 394-7754 ----------------------------------------------------
- [storm] iSCSI consolidated draft: Authentication … Black, David
- Re: [storm] iSCSI consolidated draft: Authenticat… Julian Satran
- Re: [storm] iSCSI consolidated draft: Authenticat… Black, David
- Re: [storm] iSCSI consolidated draft: Authenticat… Black, David
- Re: [storm] iSCSI consolidated draft: Authenticat… Mallikarjun Chadalapaka