Re: FW: Redirection (was UNH Plugfest 5)

To: Black_David@emc.com
Subject: Re: FW: Redirection (was UNH Plugfest 5)
From: "Julian Satran" <Julian_Satran@il.ibm.com>
Date: Fri, 17 Jan 2003 12:54:46 +0200
Cc: ips@ece.cmu.edu, owner-ips@ece.cmu.edu
Content-Type: multipart/alternative; boundary="=_alternative 00249CB8C2256CB1_="
In-Reply-To: <277DD60FB639D511AC0400B0D068B71E0564C7A3@corpmx14.us.dg.com>
Sender: owner-ips@ece.cmu.edu

David,

The only way to do it cleany the way you want it is to allow the redirect response (0101 and 0102) only in operational parameter stage.

But that seems rather excessive. If we want to mandate a single way of handling I would suggest stating that 0101 and 0102

SHOULD be accepted even during authentication (Paul's POV). Again I don't thing it adds anything as local policy may prevent an initiator from

considering those values.

Julo

Black_David@emc.com
Sent by: owner-ips@ece.cmu.edu

17/01/03 01:11

To	ips@ece.cmu.edu
cc
Subject	FW: Redirection (was UNH Plugfest 5)

Forwarding an off-list note on this topic - a SHOULD is useful here to express a preference for which redirection mechanism to use in the presence of authentication. I prefer the SHOULD for redirection after authentication because rogue target attacks are more dangerous to iSCSI than rogue initiator attacks because the initiator authenticates first when using CHAP. Redirection prior to authentication makes it easier to mount a rogue target attack. Thanks, --David -----Original Message----- From: Paul Koning [mailto:pkoning@equallogic.com] Sent: Thursday, January 16, 2003 3:57 PM To: Black_David@emc.com Cc: Julian_Satran@il.ibm.com Subject: RE: Redirection (was UNH Plugfest 5) >>>>> "Black" == Black David <Black_David@emc.com> writes: Black> The most I could see doing here would be: - In the absence of Black> explicit administrative action, - If a target is contacted by Black> an Initiator requesting SecurityNegotiation, - And the target Black> would issue a redirect to that Initiator based on the target Black> name the initiator is trying to contact, - Then the target Black> SHOULD negotiate security before issuing the redirect. My preference is to swing the SHOULD in the other direction, because there is no security issue in doing so. (In other words, if the initiator requests security negotiation and the target replies with a redirect, the initiator SHOULD accept that redirect as valid without a full security negotiation.) But your proposal still serves to strengthen the spec. paul

Follow-Ups:
- Re: FW: Redirection (was UNH Plugfest 5)
  - From: Paul Koning <pkoning@equallogic.com>

References:
- FW: Redirection (was UNH Plugfest 5)
  - From: Black_David@emc.com

Prev by Date: RE: iSCSI: using the C bit
Next by Date: RE: FW: Redirection (was UNH Plugfest 5)
Prev by thread: FW: Redirection (was UNH Plugfest 5)
Next by thread: Re: FW: Redirection (was UNH Plugfest 5)
Index(es):
- Date
- Thread

Home

Last updated: Fri Jan 17 15:19:01 2003
12212 messages in chronological order