Re: iSCSI Login Questions

To: ietf-ips <ips@ece.cmu.edu>
Subject: Re: iSCSI Login Questions
From: Steve Senum <ssenum@cisco.com>
Date: Thu, 19 Jul 2001 17:22:14 -0500
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <BJEIKPAFDFPFNCPPBCGPIECGCJAA.bbrtrebia@mediaone.net>
Sender: owner-ips@ece.cmu.edu

Barry,

By my reading of the current draft, I don't think
SecurityContextComplete=no is valid.

Regards,
Steve Senum

Barry Reinhold wrote:
> 
> Steve,
>         I would think that this is valid independent of the changes that have been
> discussed at the UNH GTP. The initiator has all the information that it
> needs for security and is indicating that by setting
> securitycontextcomplete=yes. If the target responds with with
> AuthMethod=none and SecurityContextComplete=yes then full security phase is
> history. However, the initiator needs to be ready to allow the target to
> continue the negotiation. (i.e. if the initiator receives a PDU back with
> securitycontextcomplete=no it must continue to send text commands in the
> security phase even if it does not have any additional parameters it wishes
> to communicate.) The target may also respond to the AuthMethod=None with
> AuthMethod=Reject, or it might reject the login with a status of 0x0201
> (Auth failed).
>         All of these responses appear to be valid based on 6-97. It would probably
> benefit us to limit the choices here.
> >-----Original Message-----
> >From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
> >Steve Senum
> >Sent: Thursday, July 19, 2001 4:29 PM
> >To: ietf-ips
> >Subject: iSCSI Login Questions
> >
> >
> >Julian:
> >
> >Is the following valid (taking into account the
> >changes requested from the UNH Plugfest)?
> >
> >I: Login: AuthMethod:none SecurityContextComplete=Yes
> >
> >I would assume not, that the initiator must wait
> >until after the initial exchange of the AuthMethod, HeaderDigest,
> >and DataDigest keys to send the SecurityContextComplete
> >key.
> >
> >Also, if further simplification of the login process
> >is desired, the working group might want to consider requiring
> >the initiator to send the AuthMethod HeaderDigest and
> >the DataDigest keys on the first login, so that the
> >login sequence would always look like:
> >
> >I: Login:   AuthMethod=a1,a2,aN
> >            HeaderDigest=hd1,hd2,hdN
> >            DataDigest=dd1,dd2,ddN
> >T: LoginPR: AuthMethod=a1
> >            HeaderDigest=hd1 DataDigest=dd1
> >...Authentication phase, if needed
> >I: Text:    SecurityContextComplete=yes
> >T: Text:    SecurityContextComplete=yes
> >...Operational Parameter Negotiating phase
> >...Full Feature Phase
> >
> >Regards,
> >Steve Senum

References:
- RE: iSCSI Login Questions
  - From: "Barry Reinhold" <bbrtrebia@mediaone.net>

Prev by Date: RE: iSCSI Login Questions
Next by Date: iSCSI OpParamReset
Prev by thread: RE: iSCSI Login Questions
Next by thread: Re: iSCSI Login Questions
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:04:15 2001
6315 messages in chronological order