Re: [storm] iSCSI consolidated draft: Authentication consistency
"Black, David" <david.black@emc.com> Tue, 19 March 2013 01:34 UTC
Return-Path: <david.black@emc.com>
X-Original-To: storm@ietfa.amsl.com
Delivered-To: storm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4188A21F85E0 for <storm@ietfa.amsl.com>; Mon, 18 Mar 2013 18:34:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.471
X-Spam-Level:
X-Spam-Status: No, score=-102.471 tagged_above=-999 required=5 tests=[AWL=0.129, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mvHJU03OLa7o for <storm@ietfa.amsl.com>; Mon, 18 Mar 2013 18:34:20 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 5FAAE21F84A2 for <storm@ietf.org>; Mon, 18 Mar 2013 18:34:20 -0700 (PDT)
Received: from hop04-l1d11-si02.isus.emc.com (HOP04-L1D11-SI02.isus.emc.com [10.254.111.55]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2J1YIDr012152 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 18 Mar 2013 21:34:18 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd06.lss.emc.com [10.254.222.130]) by hop04-l1d11-si02.isus.emc.com (RSA Interceptor); Mon, 18 Mar 2013 21:33:58 -0400
Received: from mxhub20.corp.emc.com (mxhub20.corp.emc.com [10.254.93.49]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2J1XuaR032382; Mon, 18 Mar 2013 21:33:57 -0400
Received: from mx15a.corp.emc.com ([169.254.1.81]) by mxhub20.corp.emc.com ([10.254.93.49]) with mapi; Mon, 18 Mar 2013 21:33:56 -0400
From: "Black, David" <david.black@emc.com>
To: "Black, David" <david.black@emc.com>, Julian Satran <julian@satran.net>
Date: Mon, 18 Mar 2013 21:33:55 -0400
Thread-Topic: [storm] iSCSI consolidated draft: Authentication consistency
Thread-Index: Ac3os+HYVjBqBOCTS6qVf02vkTTaSg0hXI2QAcIL4eA=
Message-ID: <8D3D17ACE214DC429325B2B98F3AE71293AEE187@MX15A.corp.emc.com>
References: <8D3D17ACE214DC429325B2B98F3AE71287DB21EE@MX15A.corp.emc.com> <536D99C2-EBD3-43B2-BE47-9F53E945FBBC@satran.net> <8D3D17ACE214DC429325B2B98F3AE71290DCD889@MX15A.corp.emc.com>
In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE71290DCD889@MX15A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Cc: "storm@ietf.org" <storm@ietf.org>
Subject: Re: [storm] iSCSI consolidated draft: Authentication consistency
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2013 01:34:21 -0000
I've checked w/Julian offline - the upshot is roughly the following: The identity binding has to be done, and it could be simplified by algorithmically deriving the short identities (there are potential problems when the shorter identities collide because two longer strings hash to the same short one), but use or reuse of other authentication identities is fine. I think that's enough to set direction for the text that will be needed for both issues in this thread. Thanks, --David (storm WG co-chair) > -----Original Message----- > From: storm-bounces@ietf.org [mailto:storm-bounces@ietf.org] On Behalf Of > Black, David > Sent: Saturday, March 09, 2013 9:47 PM > To: Julian Satran > Cc: storm@ietf.org > Subject: Re: [storm] iSCSI consolidated draft: Authentication consistency > > Julo, > > As long as that's only a suggestion (MAY, nothing stronger), that's > fine w/me, although the original design rationale for the shorter > identities was to allow (re)use of identities already in authentication > systems. > > Thanks, > --David > > > > -----Original Message----- > > From: Julian Satran [mailto:julian@satran.net] > > Sent: Wednesday, January 02, 2013 1:39 AM > > To: Black, David > > Cc: storm@ietf.org > > Subject: Re: [storm] iSCSI consolidated draft: Authentication consistency > > Importance: High > > > > WRT 1 - I always thought that the iSCSI name is/will-become the > authenticated > > identity and the "tiny bit-strings" used in some communities will become a > > thing of the past - or at best will serve as temporary identifiers > (something > > like short addresses). However if we want to accommodate them we should > > suggest a way of deriving the authenticated identity from the name - e.g., a > > hash - that binds them for good. The target may/should verify that the > > authenticated identity used in the protocol is correct. Obviously that > > assumes that authentication identities are small string that can be > > "allocated" arbitrarily - i.e. have no purposeful structure. > > > > Julo > > On Jan 2, 2013, at 3:48 AM, "Black, David" <david.black@emc.com> wrote: > > > > > <WG Chair hat OFF> > > > > > > This email is sent as the shepherd for the iSCSI consolidated draft. > > > > > > Security review has turned up a couple of issues in iSCSI in-band > > > authentication. I want to summarize them for discussion before the > > > effort is invested in writing detailed text. > > > > > > I believe that good implementers will get these right, but some > > > security text appears to be needed. This is not supposed to affect > > > existing implementations, so please speak up if something appears > > > potentially problematic. > > > > > > (1) iSCSI name association with authenticated identity. The iSCSI name > > > is for the initiator or target (e.g., iqn.*); the authenticated identity > > > is the identity used in the inband authentication protocol (e.g., CHAP > > > name). > > > > > > This concern is about how the identity used for authentication aligns with > > > the iSCSI name for the initiator or target. Abstractly, the concern is > > > that someone has to check that Bob is the authenticated identity for an > > iSCSI > > > initiator that's accessing Bob's storage, otherwise Alice can claim to be > > > Bob's initiator (iSCSI name) authenticate as herself (Alice as > > authentication > > > identity) and then freely access Bob's storage, which would be bad. > > > > > > The draft doesn't say much about this, in large part because iSCSI names > > > are not exactly friendly to existing authentication infrastructure, and > > > the original design intent was to allow flexibility in identities used > with > > > authentication infrastructure. > > > > > > Proposal: The draft needs to say something - that something might be to > say > > > that implementations SHOULD be managing authentication so that > > > impersonation is not possible across iSCSI Names. The preferred approach > > > (SHOULD) would be to manage authentication material as triples: > > > - iSCSI Name > > > - Authentication identity for that name > > > - Authentication credentials for that identity > > > In this case, the name-identity relationship SHOULD be checked in addition > > > to the authentication of the identity. This check is simple if the > identity > > > and name are the same, or the identity is algorithmically derived from the > > > name. > > > > > > I can think of ways to bind credentials directly to an iSCSI Name, where > > > the identity is a bystander, although this is a particularly bad idea for > > > CHAP, as it will have rather unfortunate results when used with an > external > > > server (e.g., RADIUS) that gets the authentication identity, but not the > > > iSCSI name, making this a "SHOULD NOT" requirement with a warning about > > > external authentication servers that don't see the iSCSI Names. > > > > > > (2) Authentication consistency for multi-connection sessions. > > > > > > When an iSCSI session has multiple connections, either concurrently, or > > > sequentially (e.g., TCP connection fails, new connection created to > recover > > > the session), it's important that the same initiator be involved in all > > > the connections, *and* that the initiator authenticate as itself every > > > time. There are several pieces to this: > > > - Authentication SHOULD be consistently used across a session. It's > > > not a good idea to mix authenticated and unauthenticated connections > > > in the same session. Mixing authentication mechanisms is probably > > > ok, if someone wants to do that, so it may not need to be mentioned. > > > - The authentication of the iSCSI Name SHOULD be consistent across a > > session, > > > preferably by using the same authentication identity. In the end, > > > it's the iSCSI Name that matters, and the same authentication > > > identity (see "triples" above) is the simplest way to get there. > > > > > > > > > Thanks, > > > --David > > > ---------------------------------------------------- > > > David L. Black, Distinguished Engineer > > > EMC Corporation, 176 South St., Hopkinton, MA 01748 > > > +1 (508) 293-7953 FAX: +1 (508) 293-7786 > > > david.black@emc.com Mobile: +1 (978) 394-7754 > > > ---------------------------------------------------- > > > > > > _______________________________________________ > > > storm mailing list > > > storm@ietf.org > > > https://www.ietf.org/mailman/listinfo/storm > > > > _______________________________________________ > storm mailing list > storm@ietf.org > https://www.ietf.org/mailman/listinfo/storm
- [storm] iSCSI consolidated draft: Authentication … Black, David
- Re: [storm] iSCSI consolidated draft: Authenticat… Julian Satran
- Re: [storm] iSCSI consolidated draft: Authenticat… Black, David
- Re: [storm] iSCSI consolidated draft: Authenticat… Black, David
- Re: [storm] iSCSI consolidated draft: Authenticat… Mallikarjun Chadalapaka