Re: [storm] iSCSI Node Name for SCSI (composite) Device

Mallikarjun Chadalapaka <cbm@chadalapaka.com> Fri, 09 September 2011 17:18 UTC

Return-Path: <cbm@chadalapaka.com>
X-Original-To: storm@ietfa.amsl.com
Delivered-To: storm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D0A121F86A1 for <storm@ietfa.amsl.com>; Fri, 9 Sep 2011 10:18:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.481
X-Spam-Level:
X-Spam-Status: No, score=-2.481 tagged_above=-999 required=5 tests=[AWL=0.118, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v0jdxqvBo4rm for <storm@ietfa.amsl.com>; Fri, 9 Sep 2011 10:18:50 -0700 (PDT)
Received: from snt0-omc3-s49.snt0.hotmail.com (snt0-omc3-s49.snt0.hotmail.com [65.54.51.86]) by ietfa.amsl.com (Postfix) with ESMTP id C591821F84AC for <storm@ietf.org>; Fri, 9 Sep 2011 10:18:50 -0700 (PDT)
Received: from SNT131-DS16 ([65.55.90.135]) by snt0-omc3-s49.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 9 Sep 2011 10:20:46 -0700
X-Originating-IP: [131.107.0.94]
X-Originating-Email: [cbm@chadalapaka.com]
Message-ID: <SNT131-ds162A51A37B722314E4A657A0010@phx.gbl>
From: Mallikarjun Chadalapaka <cbm@chadalapaka.com>
To: <Paul_Koning@Dell.com>, <david.black@emc.com>, <storm@ietf.org>
References: <SNT131-ds428634E0048BE2FF6E211A0010@phx.gbl> <09787EF419216C41A903FD14EE5506DD0153553162@AUSX7MCPC103.AMER.DELL.COM> <7C4DFCE962635144B8FAE8CA11D0BF1E058B27F43A@MX14A.corp.emc.com> <09787EF419216C41A903FD14EE5506DD0153553344@AUSX7MCPC103.AMER.DELL.COM>
In-Reply-To: <09787EF419216C41A903FD14EE5506DD0153553344@AUSX7MCPC103.AMER.DELL.COM>
Date: Fri, 9 Sep 2011 10:20:45 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHcB5FMbu7wlS83v+5mHU2fGlTdDQIzT/PsAfI8+WcCE96SQpT0TiAg
Content-Language: en-us
X-OriginalArrivalTime: 09 Sep 2011 17:20:46.0062 (UTC) FILETIME=[CFA4E0E0:01CC6F14]
Subject: Re: [storm] iSCSI Node Name for SCSI (composite) Device
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2011 17:18:51 -0000

Paul, thanks for the feedback.  From the new requirement text, I will also
add a cross-reference to the section 9.2.1 text that David cited, to make
this clear.

Mallikarjun

  -----Original Message-----
  From: storm-bounces@ietf.org [mailto:storm-bounces@ietf.org] On Behalf
  Of Paul_Koning@Dell.com
  Sent: Friday, September 09, 2011 7:49 AM
  To: david.black@emc.com; storm@ietf.org
  Subject: Re: [storm] iSCSI Node Name for SCSI (composite) Device
  
  Ok, so that means that, in this case at least, it must be possible for the
  CHAP name to be different from the iSCSI name.  That's certainly always a
  possibility but it also seems likely that people would take the shortcut
of
  making them match -- here you can't do that.  The text you quoted should
  be sufficient to alert implementers to that consideration.
  
  	paul
  
  -----Original Message-----
  From: david.black@emc.com [mailto:david.black@emc.com]
  Sent: Friday, September 09, 2011 9:02 AM
  To: Koning, Paul; storm@ietf.org
  Subject: RE: [storm] iSCSI Node Name for SCSI (composite) Device
  
  > I'm wondering if this creates an issue with CHAP based authentication.
  > Assuming the node name is the CHAP username, you'd have a CHAP
  secret
  > associated with that name.  Since there are two roles, it means the
  > same secret is used for both directions, which violates an explicit
  prohibition in the existing spec (because it enables reflection attacks).
  >
  > Is that not an issue here, or is it one that can be avoided by
  > additional constraints?  If so it would be worth spelling out how.
  
  That's definitely a valid concern, but one that has already been taken
care of
  - the following sentence is from Section 8.2.1 of RFC 3720, and has been
  carried over to Section 9.2.1 of the consolidated draft:
  
     Also, if an iSCSI
     implementation can function as both initiator and target, different
     CHAP secrets and identities MUST be configured for these two roles.
  
  Thanks,
  --David
  
  > -----Original Message-----
  > From: storm-bounces@ietf.org [mailto:storm-bounces@ietf.org] On
  Behalf
  > Of Paul_Koning@Dell.com
  > Sent: Friday, September 09, 2011 6:50 AM
  > To: cbm@chadalapaka.com; storm@ietf.org
  > Subject: Re: [storm] iSCSI Node Name for SCSI (composite) Device
  >
  > I'm wondering if this creates an issue with CHAP based authentication.
  > Assuming the node name is the CHAP username, you'd have a CHAP
  secret
  > associated with that name.  Since there are two roles, it means the
  > same secret is used for both directions, which violates an explicit
  prohibition in the existing spec (because it enables reflection attacks).
  >
  > Is that not an issue here, or is it one that can be avoided by
  > additional constraints?  If so it would be worth spelling out how.
  >
  > 	paul
  >
  > -----Original Message-----
  > From: storm-bounces@ietf.org [mailto:storm-bounces@ietf.org] On
  Behalf
  > Of Mallikarjun Chadalapaka
  > Sent: Thursday, September 08, 2011 9:41 PM
  > To: storm@ietf.org
  > Subject: [storm] iSCSI Node Name for SCSI (composite) Device
  >
  > In reviewing some editorial feedback received offline, we have
  > identified a potential misalignment between SAM-5 and iSCSI.  And it
  > turns out we can address it with a simple requirement, which the drafts'
  authors wanted to surface to the list.
  >
  > SAM-5 models SCSI Device Name as an attribute of a SCSI Device class,
  > even if the SCSI Device is a composite device containing a SCSI
Initiator
  Device
  > and a SCSI Target Device.   iSCSI in contrast models an iSCSI Initiator
Name
  > as an attribute of iSCSI Initiator Node, and models iSCSI Target Name as
  that for iSCSI Target Node.
  > As the new consolidated draft now explicitly allows iSCSI Nodes to be
  > SCSI composite Devices, we just need to make sure that a SCSI
  > (composite) Device in iSCSI transport domain would only have one SCSI
  Device Name.
  >
  > This can be accomplished by adding the following requirement to the
  > consolidated draft: whenever an iSCSI Node contains an iSCSI Initiator
  > Node and an iSCSI Target Node, the iSCSI Initiator Name MUST be the
  > same as the iSCSI Target Name for the contained Nodes such that there is
  only one iSCSI Node Name for the iSCSI Node overall.
  >
  > Please let the list know if you have concerns, or questions about this
  > approach.  Assuming WG consensus on this, we plan to get this - and
  > any related text updates in both drafts - into the next revisions at the
end
  of the Last Call.
  >
  > Thanks.
  >
  > Mallikarjun (for all the authors)
  >
  >
  >
  >
  >
  >
  > _______________________________________________
  > storm mailing list
  > storm@ietf.org
  > https://www.ietf.org/mailman/listinfo/storm
  > _______________________________________________
  > storm mailing list
  > storm@ietf.org
  > https://www.ietf.org/mailman/listinfo/storm
  
  _______________________________________________
  storm mailing list
  storm@ietf.org
  https://www.ietf.org/mailman/listinfo/storm