IETF Logo Mail Archive

Re: [storm] iSCSI consolidated draft: Authentication consistency

Julian Satran <julian@satran.net> Wed, 02 January 2013 06:46 UTC

Return-Path: <julian@satran.net>
X-Original-To: storm@ietfa.amsl.com
Delivered-To: storm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EF7321F910D for <storm@ietfa.amsl.com>; Tue, 1 Jan 2013 22:46:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.836
X-Spam-Level:
X-Spam-Status: No, score=-5.836 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_RECV_BEZEQINT_B=0.763]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uJ+dXFla2b14 for <storm@ietfa.amsl.com>; Tue, 1 Jan 2013 22:46:16 -0800 (PST)
Received: from eu1sys200aog104.obsmtp.com (eu1sys200aog104.obsmtp.com [207.126.144.117]) by ietfa.amsl.com (Postfix) with SMTP id F3E3C21F910B for <storm@ietf.org>; Tue, 1 Jan 2013 22:46:15 -0800 (PST)
Received: from mail-wg0-f71.google.com ([74.125.82.71]) (using TLSv1) by eu1sys200aob104.postini.com ([207.126.147.11]) with SMTP ID DSNKUOPXtO2Ri7//vz1Gi7asaaJG4OzjDMiD@postini.com; Wed, 02 Jan 2013 06:46:16 UTC
Received: by mail-wg0-f71.google.com with SMTP id dr13so11953428wgb.6 for <storm@ietf.org>; Tue, 01 Jan 2013 22:46:12 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:x-received:subject:mime-version:content-type:from :x-priority:in-reply-to:date:cc:content-transfer-encoding:message-id :references:to:x-mailer:x-gm-message-state; bh=FnR1v7VGtfrtHnXWKy+KlEq0KlS8lqQFbGhui4jv3co=; b=a1PqzsklaP2nrGjuKcRwqaUggZbOXhkaCAIj+s9eLpHKhnU4RojgWRnLbQQ+giDX5d zxRbYkbAPBnLr4lu4wQpEyxsq3yZrUV3sR+SPhDm13G8JBlCxEXkPd9zC+CxDvB3uj+2 LOnq9CP6Vg+b1st2DjljxZjT+ShrEUIIqyfpClLpc54CjmMCZaky2MxLxb04TFmM81Ye fpDtU0I4xNlhxPZmDmCYci64Ra1HfELxb0SYPvXuWPDw/dDV+nJAwzwZrrM+LevL+1L+ /tSmIJHLVezUp/VXwJ+ozYHndKSLIH7VcoQqZnubFscSi8ianF1Kq2V3Eii6feMoogeB z5jA==
X-Received: by 10.14.221.9 with SMTP id q9mr123507062eep.3.1357108733953; Tue, 01 Jan 2013 22:38:53 -0800 (PST)
X-Received: by 10.14.221.9 with SMTP id q9mr123507047eep.3.1357108733784; Tue, 01 Jan 2013 22:38:53 -0800 (PST)
Received: from julo-mbpr.infinidat.com (bzq-218-29-26.cablep.bezeqint.net. [81.218.29.26]) by mx.google.com with ESMTPS id d3sm95560278eeo.13.2013.01.01.22.38.51 (version=SSLv3 cipher=OTHER); Tue, 01 Jan 2013 22:38:52 -0800 (PST)
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
Content-Type: text/plain; charset="iso-8859-1"
From: Julian Satran <julian@satran.net>
X-Priority: 1
In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE71287DB21EE@MX15A.corp.emc.com>
Date: Wed, 02 Jan 2013 08:38:49 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <536D99C2-EBD3-43B2-BE47-9F53E945FBBC@satran.net>
References: <8D3D17ACE214DC429325B2B98F3AE71287DB21EE@MX15A.corp.emc.com>
To: "Black, David" <david.black@emc.com>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQm1i6R9kGciaN6tynEvUMr38dhEJQbUWy0qcxNLRemY6jQB73AepFsv0gwaMBIINrD6PUL106Q4rTKSsNXDWVzPupjIs6mF4r8cJ3FlGO47iQNI/Zhn3iHPikUyLNgGEYjyq5U2x4p+pPV3aMDWg80lbDChxw==
Cc: "storm@ietf.org" <storm@ietf.org>
Subject: Re: [storm] iSCSI consolidated draft: Authentication consistency
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jan 2013 06:46:17 -0000

WRT 1 - I always thought that the iSCSI name is/will-become the authenticated identity and the "tiny bit-strings" used in some communities will become a thing of the past - or at best will serve as temporary identifiers (something like short addresses).  However if we want to accommodate them  we should suggest a way of deriving the authenticated identity from the name - e.g., a hash - that binds them for good. The target may/should verify that the authenticated identity used in the protocol is  correct.  Obviously that assumes that authentication identities are small string that can be "allocated" arbitrarily - i.e. have no purposeful structure.

Julo
On Jan 2, 2013, at 3:48 AM, "Black, David" <david.black@emc.com> wrote:

> <WG Chair hat OFF>
> 
> This email is sent as the shepherd for the iSCSI consolidated draft.
> 
> Security review has turned up a couple of issues in iSCSI in-band
> authentication.  I want to summarize them for discussion before the
> effort is invested in writing detailed text.
> 
> I believe that good implementers will get these right, but some
> security text appears to be needed.  This is not supposed to affect
> existing implementations, so please speak up if something appears
> potentially problematic.
> 
> (1) iSCSI name association with authenticated identity.  The iSCSI name
> is for the initiator or target (e.g., iqn.*); the authenticated identity
> is the identity used in the inband authentication protocol (e.g., CHAP
> name).
> 
> This concern is about how the identity used for authentication aligns with
> the iSCSI name for the initiator or target.  Abstractly, the concern is
> that someone has to check that Bob is the authenticated identity for an iSCSI
> initiator that's accessing Bob's storage, otherwise Alice can claim to be
> Bob's initiator (iSCSI name) authenticate as herself (Alice as authentication
> identity) and then freely access Bob's storage, which would be bad.
> 
> The draft doesn't say much about this, in large part because iSCSI names
> are not exactly friendly to existing authentication infrastructure, and
> the original design intent was to allow flexibility in identities used with
> authentication infrastructure.
> 
> Proposal: The draft needs to say something - that something might be to say
> that implementations SHOULD be managing authentication so that
> impersonation is not possible across iSCSI Names.  The preferred approach
> (SHOULD) would be to manage authentication material as triples:
> 	- iSCSI Name
> 	- Authentication identity for that name
> 	- Authentication credentials for that identity
> In this case, the name-identity relationship SHOULD be checked in addition
> to the authentication of the identity.  This check is simple if the identity
> and name are the same, or the identity is algorithmically derived from the
> name.
> 
> I can think of ways to bind credentials directly to an iSCSI Name, where
> the identity is a bystander, although this is a particularly bad idea for
> CHAP, as it will have rather unfortunate results when used with an external
> server (e.g., RADIUS) that gets the authentication identity, but not the
> iSCSI name, making this a "SHOULD NOT" requirement with a warning about
> external authentication servers that don't see the iSCSI Names.
> 
> (2) Authentication consistency for multi-connection sessions.
> 
> When an iSCSI session has multiple connections, either concurrently, or
> sequentially (e.g., TCP connection fails, new connection created to recover
> the session), it's important that the same initiator be involved in all
> the connections, *and* that the initiator authenticate as itself every
> time.  There are several pieces to this:
> - Authentication SHOULD be consistently used across a session. It's
> 	not a good idea to mix authenticated and unauthenticated connections
> 	in the same session.  Mixing authentication mechanisms is probably
> 	ok, if someone wants to do that, so it may not need to be mentioned.
> - The authentication of the iSCSI Name SHOULD be consistent across a session,
> 	preferably by using the same authentication identity.  In the end,
> 	it's the iSCSI Name that matters, and the same authentication
> 	identity (see "triples" above) is the simplest way to get there.
> 
> 
> Thanks,
> --David
> ----------------------------------------------------
> David L. Black, Distinguished Engineer
> EMC Corporation, 176 South St., Hopkinton, MA  01748
> +1 (508) 293-7953             FAX: +1 (508) 293-7786
> david.black@emc.com        Mobile: +1 (978) 394-7754
> ----------------------------------------------------
> 
> _______________________________________________
> storm mailing list
> storm@ietf.org
> https://www.ietf.org/mailman/listinfo/storm

v2.23.0 | Report a Bug | By Email