Re: [storm] iSER approach - update: Next Steps
Michael Ko <mkosjc@gmail.com> Thu, 17 May 2012 03:47 UTC
Return-Path: <mkosjc@gmail.com>
X-Original-To: storm@ietfa.amsl.com
Delivered-To: storm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8113B11E8073 for <storm@ietfa.amsl.com>; Wed, 16 May 2012 20:47:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Ti+6KfMKPvs for <storm@ietfa.amsl.com>; Wed, 16 May 2012 20:47:23 -0700 (PDT)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1075421F864A for <storm@ietf.org>; Wed, 16 May 2012 20:47:22 -0700 (PDT)
Received: by vbbez10 with SMTP id ez10so1613086vbb.31 for <storm@ietf.org>; Wed, 16 May 2012 20:47:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=mgwg2zV9Kh9c6ngruH7AEFtJkl8CBxMLQyhSqbsf5D4=; b=huljDeiMJNRXY+UGU4l0h5WLpzfbDrSC7oAqeBHlHPPYrvVFNuyDQJmIKCnRBotxJm h7nBiXaW4pi1eYMBDGcXmHL1rU3Qdy3BoW2fi/oMnPOLMfMJjx2Dazv1r+HKKMbCRVtq RqGMPZBCfPmw7kvwf62tycu+jiL+Gfql/jV5Dg4w3Qx5N55QrCyIpQtIh291YGWgw078 armd8NZg4NpJuF3rNNoyM8YdVl/nzVaB/GxnkqUb8nVqs+U8dvvQowbTrtTvmNDGTJ5X sfX96MNmvHzyYW5JZJrR8KDcVa+WJsClbeQB3vDuGL/EgwfD2U1IHLXQExuuCHana0Xm QdBw==
MIME-Version: 1.0
Received: by 10.220.241.135 with SMTP id le7mr4004298vcb.63.1337226441954; Wed, 16 May 2012 20:47:21 -0700 (PDT)
Received: by 10.220.169.15 with HTTP; Wed, 16 May 2012 20:47:21 -0700 (PDT)
In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE712057151F0@MX15A.corp.emc.com>
References: <8D3D17ACE214DC429325B2B98F3AE71203D1120D@MX15A.corp.emc.com> <8D3D17ACE214DC429325B2B98F3AE712057151F0@MX15A.corp.emc.com>
Date: Wed, 16 May 2012 20:47:21 -0700
Message-ID: <CAP_=6dLfETNrs9QvmwgSwRg4es8N+RG7Tqc2vpa15Lz6YRYv=w@mail.gmail.com>
From: Michael Ko <mkosjc@gmail.com>
To: david.black@emc.com
Content-Type: multipart/alternative; boundary="14dae9cdca7f0e95f504c0334bc3"
Cc: storm@ietf.org
Subject: Re: [storm] iSER approach - update: Next Steps
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 May 2012 03:47:24 -0000
I am submitting the proposed changes pertaining to item (v) in David's note that David and I (mostly David) worked out to be reviewed by the group before they go into the new iSER draft. These are the changes to sec. 2.4.1: OLD The iSER layer at the initiator is required to invalildate the Advertised STag upon a normal completion of the associated task. The Send with Invalidate Message, if supported by the RCaP layer (e.g., iWARP), can be used for automatic invalidation when it is used to carry the SCSI Response PDU. There are two exceptions to this automatic invalidation - bidirectional commands, and abnormal completion of a command. The iSER Layer at the initiator is required to explicitly invalidate the STag in these cases, in addition to sanity checking the automatic invalidation even when that does happen. NEW The iSER layer at the initiator SHOULD invalidate the Advertised STag upon a normal completion of the associated task. The Send with Invalidate Message, if supported by the RCaP layer (e.g., iWARP), can be used for automatic invalidation when it is used to carry the SCSI Response PDU. There are two exceptions to this automatic invalidation - bidirectional commands, and abnormal completion of a command. The iSER Layer at the initiator SHOULD explicitly invalidate the STag in these two cases. That iSER layer MUST check that STag invalidation has occurred whenever receipt of a Send with Invalidate message is the expected means of causing an STag to be invalidated, and MUST perform the STag invalidation if the STag has not already been invalidated (e.g., because a Send message was used instead of Send with Invalidate). If the Advertised STag is not invalidated as recommended in the foregoing paragraph (e.g., in order to cache the STag for future reuse), the I/O Buffer remains exposed to the network for access by the RCaP. Such an I/O Buffer is capable of being read or written by the RCaP outside the scope of the iSCSI operation for which it was originally established, which has both robustness and security considerations. The robustness considerations are that the system containing the iSER initiator may react poorly to an unexpected modification of its memory. For the security considerations, see Section 11. END Here is a new Security Considerations paragraph for Section 11: A valid STag exposes I/O Buffer resources to the network for access via the RCaP. The security considerations referred to in the above paragraphs provide means of controlling that access in order to prevent undesired disclosure or modification of data in the I/O Buffer. These considerations are of heightened importance for implementations that do not invalidate the STag after completion of the associated task (ISCSI I/O operation) because the period of exposure is correspondingly longer. For this reason, STag invalidation after completion of the associated task is RECOMMENDED in Section 2.4.1 Mike On Tue, May 15, 2012 at 10:54 AM, <david.black@emc.com> wrote: > Having seen no dissension, I believe (with WG chair hat on) that we have > WG rough consensus for this updated approach to resolving the iSER issues > around SendSE, SendInv and SendInvSE. > > Mike (Ko) - please update the draft accordingly, *BUT*, I want to see the > Security Considerations and related caching text for the following item > proposed to the list and worked out on the list before going into the next > version of t he draft (I'd be happy to review a first draft of this text > via private email if that would help): > > > v) Some new text will be needed (especially Security Considerations) to > > make it clear that STag invalidation is the initiator's > responsibility > > for security reasons, and the initiator cannot rely on the target > > using an Invalidate version of Send - the initiator MUST check and > > do its own invalidation as required. The initiator MAY choose to > cache > > mappings (i.e., reuse STags) across I/Os for efficiency, but that > has > > security consequences (exposes initiator memory to remote access > for > > longer) that have to be discussed in the new Security > Considerations text. > > In contrast, I believe the other five items are routine updates that can > just be made in the next version of the draft. > > Thanks, > --David > > > -----Original Message----- > > From: storm-bounces@ietf.org [mailto:storm-bounces@ietf.org] On Behalf > Of > > david.black@emc.com > > Sent: Thursday, May 03, 2012 6:29 PM > > To: storm@ietf.org > > Subject: [storm] iSER approach - update > > > > Attempting to summarize where we are ... the changes from my earlier > attempt > > are: > > - Dropped the MUST for error reporting by the receiver. > > - Added a more general "SHOULD NOT use" to iii). > > - Added caching discussion and need for yet more security considerations > > text to v). > > - Added a warning about relying on SendSE and SendInvSE at receiver - > new item > > vi). > > > > Are we getting closer? Here's the new version: > > > > i) Some iSER implementations have not followed RFC 5046's strict > requirements > > for use of SendSE, SendInv and SendInvSE; they use Send instead. > > ii) For interoperability, iSER implementations SHOULD accept and > correctly > > process SendSE, SendInv and SendInvSE messages. > > iii) SendSE, SendInv and SendInvSE are to be regarded as optimizations or > > enhancements to the basic Send message, and their support may vary > by > > RCaP protocol and specific implementation. In general, these > messages > > SHOULD NOT be used, unless the RCaP requires support for them in > all > > implementations. If these messages are used, the implementation > SHOULD > > be capable of reverting to use of Send in order to work with a > receiver > > that does not support these message (and we need to note that > attempted > > use of these messages with a peer that doesn't support them may > result > > in a fatal error that closes the RCaP connection). A specific > instance > > that needs to be noted is that these messages SHOULD NOT be used > with > > the InfiniBand RCaP because InfiniBand does not require support > for them > > in all cases. > > iv) New iSER implementations SHOULD use Send (and not these three > additional > > messages) unless there are compelling reasons for doing otherwise > > (latter is implicit in use of "SHOULD", but worth saying > explicitly, > > IMHO). > > v) Some new text will be needed (especially Security Considerations) to > > make it clear that STag invalidation is the initiator's > responsibility > > for security reasons, and the initiator cannot rely on the target > > using an Invalidate version of Send - the initiator MUST check and > > do its own invalidation as required. The initiator MAY choose to > cache > > mappings (i.e., reuse STags) across I/Os for efficiency, but that > has > > security consequences (exposes initiator memory to remote access > for > > longer) that have to be discussed in the new Security > Considerations text. > > vi) Similarly, iSER implementations SHOULD NOT rely on events triggered > by > > SendSE and SendInvSE, as these messages may not be used. In > contrast > > to invalidation, there are no security consequences in this aspect. > > > > Thanks, > > --David > > ---------------------------------------------------- > > David L. Black, Distinguished Engineer > > EMC Corporation, 176 South St., Hopkinton, MA 01748 > > +1 (508) 293-7953 FAX: +1 (508) 293-7786 > > david.black@emc.com Mobile: +1 (978) 394-7754 > > ---------------------------------------------------- >
- [storm] iSER approach - update david.black
- Re: [storm] iSER approach - update Michael Ko
- [storm] iSER approach - update: Next Steps david.black
- Re: [storm] iSER approach - update: Next Steps Michael Ko
- [storm] iSER - new security text: Please review david.black
- Re: [storm] iSER - new security text: Please reviā¦ david.black