RE: iSCSI: proposal to solve the ISID issues

["John Hufferd" <hufferd@us.ibm.com>]

First lets understand that the real name that is part of the I-T Nexus is
InitiatorName+ISID as the Initiator part of the Nexus and the
TargetName+PortalGroupTag as the Target Part of the Nexus.  This is
somewhat independent of Authentication.  There are several levels that are
part of the Authentication.

We are attempting to not make the same mistake that we did in Fibre
Channel, by making the Authentication based on a Network "Nozzle".  We want
to Authenticate on something larger -- the Initiator Node Name
(InitiatorName) and its approved relationship to a Target Node Name (SCSI
Device).

To do this we have several things we need to worry about with security.
1. Is the link secure and able to handle secure traffic
2. Is the "User" who he says he is
3. Is the "User" permitted to use the specified Initiator
4. Is the Initiator permitted to use the specified Target

Item 1 is the IPSec stuff to secure the link
Item 2 is the iSCSI Authentication
Items 3 and 4 deal with Access Control List (ACLs).

With regards to Item 3 the user should be bound to a set of Initiators that
he is permitted to use, if any, and whether this Login is claiming to be
from one of them.  This is needed because the user maybe permitted to move
from one system to another

Item 4 determines whether the specified Initiator is permitted to access
this target.  In some implementations  I expect the vendor code will check
if the User, when on the specified Initiator, is permitted to access this
target (a more restrictive test).

In None of the Points above (1-4) did we even talk about the ISID, TSID or
SSID.  These are Items that have to do with either the Nexus or the Session
Management .

Note that the Authentication and Security Process cares not at all about
the SIDs.  Also the Nexus cares only about the session end points and how
the ISID, and PortalGroup_Tags  qualify the names of the Initiator Node and
Target Node so that the Session end points (SCSI Ports) TOTAL name is
unique in the world. (That is the Initiator Node Name qualified by the
ISID, and the Target Node Name when qualified by the PortalGroup_Tag is
unique in the World.)

The ISID and TSID when combined together give a unique handle to the
session (SSID), and the SSID can be used bind the various connections
together.  That is its purpose, I think, that is its only purpose.  The
ISID has a dual purpose. It uniquely qualifies the Initiator Node Name, and
is a part of the SSID. But it is important to understand that the SSID is
not unique in the world, it is only Unique within the context of the
Initiator SCSI Port and the Target SCSI Port Nexus.

Your example of Controller 1, Controller 2 is somewhat confusing, I think
you mean Host, or Initiator.  Most of us think of Controller as Storage
Controllers and they are usually Targets.  However, please see comments
below.

Any way, It maybe the case that when you look at what I have said above,
and what you have described, you might find that what you said is either
addressed or not a problem in the way you said it.

Also I have included Comments in your attached text. (Between [Huff/] and
[/Huff].)



.
.
.
John L. Hufferd
Senior Technical Staff Member (STSM)
IBM/SSG San Jose Ca
Main Office (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
Home Office (408) 997-6136
Internet address: hufferd@us.ibm.com


Michael Schoberg <michael_schoberg@cnt.com>@ece.cmu.edu on 10/26/2001
04:02:00 PM

Sent by:  owner-ips@ece.cmu.edu


To:   "IPS Reflector (E-mail)" <ips@ece.cmu.edu>
cc:
Subject:  RE: iSCSI: proposal to solve the ISID issues



I don't want to pour gas on this.  I know a lot has gone into resolving
this
issue, and at one point I thought I understood it.  After all the online
debate I'm convinced I must be missing something.  At this point I'm not
even sure why SSID is useful.

  ISID    // iSCSI initiator defined session ID
+ TSID    // iSCSI target defined session ID
  ----
  SSID    // iSCSI Session ID == I_T NEXUS

[Huff/]
This is NOT correct, please see the above.
[/Huff]

Is SSID used to establish an I_T nexus?

[/Huff]
NO it is Not  The Spec. Explicitly states that the SSID is NOT Equal to the
I-T Nexus.
[/Huff]

But iSCSI uses login authentication
to identify the initiator (InitiatorName=) & target (TargetName=).  What
extra information is being gained through SSID?

[Huff/]
SSID is used to identify the Sessions from the same Initiator Node to the
same Target Node Combo.  Please Note, This is NOT the same as Initiator
SCSI Port to Target SCSI Port Nexus (Since, there is only one Session that
is valid between the same two SCSI Ports.)
[/Huff]

[Login]
InitiatorName=MyInitiator
TargetName=YourTarget
NexusID=controller_1
[Huff/]
Where did you get the Syntax of NexusID???  That is not in the Spec. But in
case you meant it only as a comment, that comment is Wrong!  The Nexi are
between Initiator and Target SCSI Ports, Not Initiator and Target Node
Names (which is what the InitiatorName and TargetName are.)
[/Huff]

SSID use in LOGIN:

1) An unknown initiator sends an iSCSI login request to an iSCSI target
address/port.
2) The target gathers the ISID, TSID, CID, X-Bit fields from the login
request.  This tells who the initiator is and what it's requesting.  The
target takes in all of this is with a grain of salt, because it's not yet
sure the initiator is who it says it is.
3) Mutual security authentication takes place between the target and
initiator.  This may be as simple as "AuthMode=none", but in any case
InitiatorName= and TargetName= have been stated and authenticated to the
satisfaction of both.
4) The target looks back at ISID/TSID/CID/X-bits passed in the first login.
Now it must decide whether or not it can continue or drop the connection.

[Huff/]
SSID (ISID/TSID) is only unique within the InitiatorName & TargetName Pair.
And CID is only unique within a specific SSID.
[/Huff]

On TSID:  How can a target determine this value such that each I-T nexus
can
be reformed consistently?  The target must assign a TSID value each unique
I-T nexus it can identify.  It could use this new unique 6-byte ISID field,
but an initiator could still masquerade as someone else:

     Controller A & B have valid logins to target X.
     Controller B knows controller A's ISID.
     Controller B specifies controller A's ISID in login.
     Controller B uses its InitiatorName= to pass authentication.

Unless X knows the valid ISID values for login A/B, it will assign A's SSID
to B.

[Huff/]

Please see my comments above on Authentication and ACLs. If steps 1-4 are
done correctly, this is NOT an issue.
[/Huff]


This mistake can be avoided by using (TSID ~> InitiatorName).  Each
InitiatorName= allowed by the target is assigned a unique TID.  Taking over
someone's SSID now becomes a pure administration issue not a fault in the
protocol.

[Huff/]
I think you created a problem that did not exist and then solved it. See
comments above.
[/Huff]

On ISID:  It's configured by the initiator.  Whether it be a 16-bit or
48-bit value, the idea is to allow each vendor multiple controller
instances
(I of I_T nexus) if desired.  This value is expected to be assigned and
permanent with each I_T (portal group) nexus.

[Huff/]
That is what the proposal permits.  That is, it permits the vendor, without
worrying about other vendors or OS support which is not there, and may be
implemented differently on different OSs, to Identify in a stable way their
end of the I-T Nexi.
[/Huff]

So why does iSCSI use two methods of identification?

[Huff/]
They are different things, the ISID is only unique within an iSCSI
Initiator Node.
[/Huff]

InitiatorName/TargetName requires super encryption algorithms for
verification while ISID/TSID uses cleartext with the motto, "we trust
you'll
play nice."  Why does iSCSI need SSID to describe the session at all?  Why
not roll it into the authentication parameters?

[Huff/]
The ISID is only a qualifier in the SCSI Port Name which is actually
InitiatorName+ISID.  And the TSID is not even used in the I-T Nexus.  It is
only part of the SSID. And the SSID is itself a Handle which only needs to
be unique within an Initiator Node and Target Node pair. An implementation
may decide to allocate the TSIDs such that they are unique within the iSCSI
Target Node, thereby making all its SSIDs unique within the iSCSI Target
Node, but that would limit the Target Node to 64k Sessions, which maybe
fine for some, but that is NOT a requirement of the Protocol.
[/Huff]


Wrapping ISIDs into a new naming authority seems excessive for a local
issue
(SSIDs are local to each target)?  Or is there a future iSCSI going to make
SSIDs unique so they can be inherited along iSCSI networks?

[Huff/]
See answers above.
[/Huff]


: -----Original Message-----
: From: Jim Hafner [mailto:hafner@almaden.ibm.com]
: Sent: Friday, October 26, 2001 12:02 PM
: To: ips@ece.cmu.edu
: Subject: iSCSI: proposal to solve the ISID issues
:
:
: Folks, (David Black in particular).
:
: Apologies for the long note, but the issue is complicated.
:
: The NDTeam have a proposal to resolve the concerns surrounding use of
: ISIDs as essential components (along with iSCSI Initiator Name) of
: SCSI Initiator Portname.  (This was rooted in private discussions
: between John Hufferd, Julian and myself -- and came about as a result
: of the lengthy (and boring) discussions mostly myself and David
: Black.)
:
: There are two somewhat orthogonal issues involved in this discussion:
:
: 1) How to coordinate ISIDs in the initiator to minimize the risk of
: accidentally breaking the ISID RULE (no parallel nexus) when
: independent vendors co-exist in the same OS.
:
: 2) What ISID "reuse" rules should be specified to facilitate current
: and future (soon?) SCSI reservation semantics (and also internal OS
: views of SCSI Initiator Ports).
:
: To address these two issues, we (NDT) propose the following:
:
: 1) Enlarge the ISID field in the Login Request and Response to 6bytes
: and structure it with a component that corresponds to a "naming
: authority" (essentially the vendor generating the ISID).  So vendors
: each have a piece of the ISID namespace to work with their own
: components (HBAs, SW, etc). More details below.
:
: 2) ISIDs (within the namespace of a given iSCSIName) SHOULD be used as
: conservatively as possible ("conservative reuse").  What this means is
: that a given ISID should be reused for as many sessions (across
: multiple target portal groups) as possible (but never to the same
: target portal group twice -- that's the ISID RULE).
:
: NOTES and ADVANTAGES:
:
: (1-a) Each vendor owns his own piece of the ISID namespace, so in
: effect, at the vendor-level, this provides a "partitioning" of that
: namespace.
:
: (1-b) We don't need to specify an OS infrastructure requirement for
: configuration of ISIDs -- each vendor can do it any way it chooses
: (within its naming authority).
:
: (1-c) Breaking of the ISID RULE will only occur if a vendor messes up
: its own implementation.
:
: (1-d) This is not fundamentally different from David Black's
: suggestion for a "key"; it just (a) defines it precisely and (b)
: embeds it in an already defined (but enlarged) field.
:
: (1-e) Looking towards the future, as common ISID coordination
: mechanisms are implemented between vendors (say, SNIA banding together
: to define a precise API), this "naming authority" can be elevated to
: the coordinating entity or even the OS vendor.
:
: (1-f) ISIDs have no global uniqueness property.  They need only be
: unique between a named iSCSI initiator and iSCSI target portal group.
: That means that a vendor implementation can use the same algorithm to
: generate ISIDs (under its naming authority) in every machine (OS).
:
: (2-a) If a SCSI target (or logical unit) is holding state (say
: persistent reservation) for a SCSI Initiator Port (named by iSCSI Name
: and ISID), and the associated nexus/session is dropped for some
: reason, "reuse" by that initiator of that ISID will restore to the
: resulting new session that state (with no other action on the part of
: the upper SCSI layers).
:
: (2-b) "Reuse" of an ISID on different sessions to (necessarily)
: different SCSI Target Ports (iSCSI Target portal groups), will enable
: the SCSI target/logical unit to recognize a common SCSI Initiator Port
: for those two paths.  This facilitates future changes to SCSI
: reservations (at least).
:
: (2-c) An initiator driver implementated with "conservative reuse" can
: present to the OS a stable and fairly static view of the SCSI
: Initiator Ports (one for each ISID).  Current OS driver stacks
: (including current wedge drivers) that are built on the presumption of
: such a stable view, will not need modification to handle the more
: dynamic nature of iSCSI's SCSI Initiator Port. [Note: the existence of
: a SCSI Initiator Port presented to the OS does not *require* that this
: port discover all possible targets; what the initiator builds sessions
: to using a specific ISID will determine what is presented to the OS as
: "devices" and LUs visible to that SCSI Initiator Port (could be none
: if that ISID is never actually used!).]
:
: (2-d) (Related to (2-c)): Adding a new (pseudo-static) SCSI Initiator
: Port is as simple as configuring another ISID!
:
: (2-e) Its debatable whether "conservative reuse" is a MUST or a
: SHOULD.  My personal opinion is "SHOULD", because many systems,
: particularly low-end that don't use reservations, can function more or
: less OK without it.  This is an open question.
:
: DETAILS:
:
: 1) ISID Structure:
: The 6byte ISID structure would be split into three parts:
:    "type" field (1byte) -- identifies the format of the naming
:                            authority field
:    "naming authority" field (3bytes) -- identifies the vendor (or
:                            group of vendors) generating this ISID
:    "qualifier" (2bytes) -- the free-space for ISID uniqueness
:
: The type field takes on three defined values with all other values
: reserved:
:          Type    naming authority format
:          00h     IEEE OUI
:          01h     IANA Enterprise Number (EN)
:          02h     "Random"
:
: The first types two provide a mechanism to uniquely (world wide)
: identify the naming authority.  A vendor with one or more OUIs and
: possibly also Enterprise number MUST use at least one of these numbers
: when it generates ISIDs.
:
: The "Random" type is for the case where the ISID generator (SW or HW)
: is provided by an entity that has no OUI or EN.  This includes, for
: example,
: -- a user-written program that builds sessions (and has access to the
: system level iSCSI Name)
: -- a university or other organization providing the component
: -- a testing tool
:
: For the "Random" type, the naming authority field should be a random
: or pseudo-random number. (See below on how this affects "conservative
: reuse").
:
: [Note: the "type" field needn't be this big, but NDT felt that (a)
: 2bits was insufficient for the future, (b) the "type" field should be
: first, and (c) the "naming authority" field should be byte-aligned.]
:
: 2) Conservative Reuse
:
: The "conservative reuse" principle of this proposal just says that
: SCSI Initiator Portnames should be viewed as static things (as much as
: possible) and reused (when feasible) to give the most stable
: presentation of SCSI Initiator Ports to both the OS above and to SCSU
: targets across the wire.
:
: Whereas the current draft says "The ISID RULE does not preclude the
: use of the same ISID to different Target portal groups", the
: "conservative reuse" requirement would say that such reuse (using the
: same ISID to many target portal groups) is a SHOULD (or is that
: MUST?).  So, in one implementation, each iSCSI Initiator Portal group
: would get configured with iSCSI Name, and a (small) set of ISIDs.  The
: portal group might take this set of ISIDs as an ordered list.  The
: first session to a Target portal group would use the first ISID, the
: second to the *same* target portal group would use the second in the
: list, etc.  The number of ISIDs would then define a configuration
: parameter that can be interpreted as the maximum number of sessions
: that can be built to a given target portal group.
:
: To facilitate "conservative reuse", the "qualifier" field of a set of
: ISIDs SHOULD be generated using either a repeatable algorithm
: (non-random or pseudo-random but based on a fixed seed) or any
: algorithm and stored in a persistent location (e.g., registry or /etc
: file).
:
: For the "Random" type, "conservative reuse" may not be an issue (say,
: user application that doesn't care about reservations, etc.).  When it
: is, the "naming authority" field SHOULD also be generated by a
: mechanism similar to that for the "qualifier" field as specified above
: (e.g., defined in the SW at compilation time.)
:
:
: DOCUMENTATING CHANGES:
:
: The iscsi drafts would need the following minor changes to support
: this proposal:
:
: NDT doc
: (a) define the structure of the ISID field (as described above)
: (b) add some notes about implementation in the presense of
: "conservative reuse" (e.g., that ISID should be configured once, say
: at install time, then reused on subsequent reboots, even for "Random"
: type).
:
: iSCSI MAIN doc:
: (a) move the CID field in Login Request to another reserved field.
: (b) expand the ISID field in Login Request and Response to encompass
: the previous 4 bytes.
: (c) add a sentence where the ISID field is defined indicating that
: this field is a structured value, showing the structure (as above) and
: point to the NDT document.
: (d) add some text to "Note to Implementors" on "conservative reuse".
:
: Comments?
:
:
: Jim Hafner
: