Re: [storm] iSCSI Node Name for SCSI (composite) Device

<Paul_Koning@Dell.com> Fri, 09 September 2011 14:46 UTC

Return-Path: <Paul_Koning@Dell.com>
X-Original-To: storm@ietfa.amsl.com
Delivered-To: storm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B0E721F8B21 for <storm@ietfa.amsl.com>; Fri, 9 Sep 2011 07:46:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7RGgGWw3mn+4 for <storm@ietfa.amsl.com>; Fri, 9 Sep 2011 07:46:49 -0700 (PDT)
Received: from ausc60pc101.us.dell.com (ausc60pc101.us.dell.com [143.166.85.206]) by ietfa.amsl.com (Postfix) with ESMTP id 6D5A721F8B1F for <storm@ietf.org>; Fri, 9 Sep 2011 07:46:49 -0700 (PDT)
X-Loopcount0: from 10.175.216.249
From: <Paul_Koning@Dell.com>
To: <david.black@emc.com>, <storm@ietf.org>
Date: Fri, 9 Sep 2011 09:48:39 -0500
Thread-Topic: [storm] iSCSI Node Name for SCSI (composite) Device
Thread-Index: Acxuj2l2QYR5jDLeQ/6sfbz+l/piAQATnEyQAAQmjtAABDmwEA==
Message-ID: <09787EF419216C41A903FD14EE5506DD0153553344@AUSX7MCPC103.AMER.DELL.COM>
References: <SNT131-ds428634E0048BE2FF6E211A0010@phx.gbl> <09787EF419216C41A903FD14EE5506DD0153553162@AUSX7MCPC103.AMER.DELL.COM> <7C4DFCE962635144B8FAE8CA11D0BF1E058B27F43A@MX14A.corp.emc.com>
In-Reply-To: <7C4DFCE962635144B8FAE8CA11D0BF1E058B27F43A@MX14A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [storm] iSCSI Node Name for SCSI (composite) Device
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2011 14:46:50 -0000

Ok, so that means that, in this case at least, it must be possible for the CHAP name to be different from the iSCSI name.  That's certainly always a possibility but it also seems likely that people would take the shortcut of making them match -- here you can't do that.  The text you quoted should be sufficient to alert implementers to that consideration.

	paul

-----Original Message-----
From: david.black@emc.com [mailto:david.black@emc.com] 
Sent: Friday, September 09, 2011 9:02 AM
To: Koning, Paul; storm@ietf.org
Subject: RE: [storm] iSCSI Node Name for SCSI (composite) Device

> I'm wondering if this creates an issue with CHAP based authentication.  
> Assuming the node name is the CHAP username, you'd have a CHAP secret 
> associated with that name.  Since there are two roles, it means the 
> same secret is used for both directions, which violates an explicit prohibition in the existing spec (because it enables reflection attacks).
> 
> Is that not an issue here, or is it one that can be avoided by 
> additional constraints?  If so it would be worth spelling out how.

That's definitely a valid concern, but one that has already been taken care of - the following sentence is from Section 8.2.1 of RFC 3720, and has been carried over to Section 9.2.1 of the consolidated draft:

   Also, if an iSCSI
   implementation can function as both initiator and target, different
   CHAP secrets and identities MUST be configured for these two roles.

Thanks,
--David

> -----Original Message-----
> From: storm-bounces@ietf.org [mailto:storm-bounces@ietf.org] On Behalf 
> Of Paul_Koning@Dell.com
> Sent: Friday, September 09, 2011 6:50 AM
> To: cbm@chadalapaka.com; storm@ietf.org
> Subject: Re: [storm] iSCSI Node Name for SCSI (composite) Device
> 
> I'm wondering if this creates an issue with CHAP based authentication.  
> Assuming the node name is the CHAP username, you'd have a CHAP secret 
> associated with that name.  Since there are two roles, it means the 
> same secret is used for both directions, which violates an explicit prohibition in the existing spec (because it enables reflection attacks).
> 
> Is that not an issue here, or is it one that can be avoided by 
> additional constraints?  If so it would be worth spelling out how.
> 
> 	paul
> 
> -----Original Message-----
> From: storm-bounces@ietf.org [mailto:storm-bounces@ietf.org] On Behalf 
> Of Mallikarjun Chadalapaka
> Sent: Thursday, September 08, 2011 9:41 PM
> To: storm@ietf.org
> Subject: [storm] iSCSI Node Name for SCSI (composite) Device
> 
> In reviewing some editorial feedback received offline, we have 
> identified a potential misalignment between SAM-5 and iSCSI.  And it 
> turns out we can address it with a simple requirement, which the drafts' authors wanted to surface to the list.
> 
> SAM-5 models SCSI Device Name as an attribute of a SCSI Device class, 
> even if the SCSI Device is a composite device containing a SCSI Initiator Device
> and a SCSI Target Device.   iSCSI in contrast models an iSCSI Initiator Name
> as an attribute of iSCSI Initiator Node, and models iSCSI Target Name as that for iSCSI Target Node.
> As the new consolidated draft now explicitly allows iSCSI Nodes to be 
> SCSI composite Devices, we just need to make sure that a SCSI 
> (composite) Device in iSCSI transport domain would only have one SCSI Device Name.
> 
> This can be accomplished by adding the following requirement to the 
> consolidated draft: whenever an iSCSI Node contains an iSCSI Initiator 
> Node and an iSCSI Target Node, the iSCSI Initiator Name MUST be the 
> same as the iSCSI Target Name for the contained Nodes such that there is only one iSCSI Node Name for the iSCSI Node overall.
> 
> Please let the list know if you have concerns, or questions about this 
> approach.  Assuming WG consensus on this, we plan to get this - and 
> any related text updates in both drafts - into the next revisions at the end of the Last Call.
> 
> Thanks.
> 
> Mallikarjun (for all the authors)
> 
> 
> 
> 
> 
> 
> _______________________________________________
> storm mailing list
> storm@ietf.org
> https://www.ietf.org/mailman/listinfo/storm
> _______________________________________________
> storm mailing list
> storm@ietf.org
> https://www.ietf.org/mailman/listinfo/storm