|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: UNH Plugfest 5
Is there a reason not to allow different AuthMethods for Target and
Initator? Either add new text messages TargetAuthMethod &
InitiatorAuthMethod, or perhaps allow initiators to encode combinations in
an AuthMethod:
AuthMethod=CHAP/CHAP,CHAP/None,None/None,CHAP,None
// CHAP/CHAP - means both are authenticated with CHAP
// CHAP/None - means that the Initiator is authenticated but the
Target is not
// None/None - means that neither is authenticated
// CHAP - backwards compatibility
// None - backwards compatibility
|---------+---------------------------->
| | "Robert D. |
| | Russell" |
| | <rdr@io.iol.unh.e|
| | du> |
| | Sent by: |
| | owner-ips@ece.cmu|
| | .edu |
| | |
| | |
| | 01/15/03 04:28 PM|
| | |
|---------+---------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
| |
| To: Julian Satran <Julian_Satran@il.ibm.com>, "" <ips@ece.cmu.edu> |
| cc: |
| Subject: Re: UNH Plugfest 5 |
| |
| |
>------------------------------------------------------------------------------------------------------------------------------|
Julian:
Two more questions arose at the plugfest today, 15-Jan-2003.
1. A question arose as to the proper target response during the following
CHAP authentication exchange.
Assume that:
I->T: CHAP_A=5
T->I: CHAP_A=5 CHAP_I=<i> CHAP_C=<c>
worked correctly. The Initiator now sends:
I->T: CHAP_N=<n> CHAP_R=<r> CHAP_I=<i> CHAP_C=<c>
Further assume that the values CHAP_N=<n> and CHAP_R=<r> are
correct, so that the initiator is successfully authenticated by the
target and the target will allow it access to the target's resources.
The problem arises because the target does not want to be
authenticated by the initiator, for whatever reason -- perhaps it has
no CHAP_N value to return for this initiator, or it has no secret
to use in calculating a value to return for CHAP_R, or whatever.
If the initiator had not sent the CHAP_I and CHAP_C keys, both
sides would have been happy and the login would proceed. But the
initiator did send those keys and the target does not want to see
them. So, what should happen?
There appear to be at least the following 4 possibilities.
a. The target replies: CHAP_I=Reject CHAP_C=Reject
This does not appear to be correct because the target is
expected to reply to the pair of keys CHAP_I, CHAP_C with
different keys (i.e., CHAP_N and CHAP_R), not the same keys.
Furthermore, the target already sent CHAP_I and CHAP_C
earlier in the exchange, so this would be sending the same
key twice. Certainly the initiator is not expecting to
receive CHAP_I and CHAP_C again.
b. The target replies: CHAP_N=Reject CHAP_R=Reject
This does not appear to be correct because these are not
replies to offers of CHAP_N and CHAP_R, but to offers of
different keys (i.e., CHAP_I and CHAP_C). However, they
could be considered "replies" of sorts to the initiator's
"offer" of CHAP_N and CHAP_R, but that is stretching things.
c. The target replies with a login reject, but it is not
clear what status code to use in this login reject pdu:
0x0200 is not accurate, because it is not an initiator
error.
0x0201 is not accurate, because the initiator WAS
successfully authenticated.
0x0202 is also not accurate because the initiator
IS allowed access to the given target.
0x0300 is not accurate, because it is not a target
error.
A new access code could be invented "The target will not
authenticate itself".
However, in this present situation, a login reject is probably
not what the target wants to send, because it is willing to
allow this initiator to proceed without target authentication,
and thus the target does not want to terminate the login exchange.
d. The target replies with no keys, and if the initiator offered
a transition out of security negotiation phase (i.e. T=1 and
NSG=1 or NSG=3) then the target accepts the transition. If the
initiator does not like going on without having the target
authentication, it can always just close the connection upon
receiving this reply. If the initiator did not offer a
transition out of security negotiation phase, the target can
only reply with T=0 and NSG=0, and will continue doing this for
all subsequent login requests until either the initiator offers
a transition or drops the connection.
Solution d appears to be the most flexible, because the decision to
ask for target authentication was made by the initiator, and solution
d leaves it up to the initiator to decide whether or not it will
proceed when the target refuses to provide this authentication.
In any case, there appears to be a need for some clarification
in the standard to cover this situation.
2. The question arose with regard to how an initiator maps a scsi
"bus reset" onto iscsi (this may be a legacy situation). Some vendor
initiators are simply doing a session logout, but other vendors claim
this is not sufficient, and that to correctly emulate a "bus reset"
the initiator needs to do a task management function TARGET WARM
RESET, or, since that is optional to implement, when it is not
implemented then the initiator needs to issue a task management
function LOGICAL UNIT RESET for all active LUNs in that session.
Can/should there be a "note to implementors" on this in the standard,
so that a consistent result will be obtained in this situation?
Thank you for your consideration.
Bob Russell
InterOperability Lab
University of New Hampshire
rdr@iol.unh.edu
603-862-3774
Home Last updated: Thu Jan 16 13:19:02 2003 12189 messages in chronological order |