Protecting data in buffer with an SA

Ralph Weber roweber at IEEE.org
Tue Mar 3 16:48:33 PST 2009


* From the T10 Reflector (t10 at t10.org), posted by:
* Ralph Weber <roweber at ieee.org>
*
Kevin,
I believe the RECEIVE CREDENTIAL command (see 6.19) provides
a worked example of how to SA-protect a data-in buffer.
N.B. The use of an SA to protect data in the CDB is a
security-motivated "feature", as described in the last
paragraph in 5.14.7.5.1.
All the best,
.Ralph
Kevin D Butt wrote:
>
> Ralph,
>
> Thanks for the response.  Does it help to restate my question as this:
> How can the device server know which SA the application client wants 
> the device server to use to protect the data-in buffer using ESP-SCSI?
>
> 5.14.7.5.1 Overview
> A device server shall transfer ESP-SCSI parameter data descriptors in 
> a data-in buffer only in response to a
> request that specifies an SA using the AC_SAI SA parameter and DS_SAI 
> SA parameter values (see 5.14.2.2). If
> the specified combination of AC_SAI and DS_SAI values in a command 
> that requests the transfer of ESP-SCSI
> parameter data descriptors is not known to the device server, the 
> command shall be terminated with CHECK
> CONDITION status, with the sense key set to ILLEGAL REQUEST, the 
> additional sense code set to INVALID
> FIELD IN PARAMETER LIST or to INVALID FIELD IN CDB, the SKSV bit set 
> to one, and SENSE KEY SPECIFIC field
> set as defined in 4.5.2.4.2.
>
> How is this line in the above fulfilled "only in response to a request 
> that specifies an SA using the AC_SAI SA parameter and DS_SAI SA 
> parameter values".  How can the request (i.e., a CDB) specify an SA?
>
> Thanks,
>
> Kevin D. Butt
> SCSI & Fibre Channel Architect, Tape Firmware
> MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
> Tel: 520-799-5280
> Fax: 520-799-2723 (T/L:321)
> Email address: kdbutt at us.ibm.com
> http://www-03.ibm.com/servers/storage/
>
>
> From: 	Ralph Weber <roweber at IEEE.org>
> To:	t10 at t10.org
> Date: 	03/03/2009 05:06 PM
> Subject:	Re: Protecting data in buffer with an SA
>
>
> ------------------------------------------------------------------------
>
>
>
> * From the T10 Reflector (t10 at t10.org), posted by:
> * Ralph Weber <roweber at ieee.org>
> *
> Kevin,
>
> I am having difficulty parsing everything that follows, "There
> is an ESP-SCSI defined for parameter in data but no method for
> selecting which SA to use to protect it" in the original message.
>
> Every ESP-SCSI format that I have checked contains an SAI
> (Security Association Index) -- either DS_SAI or AC_SAI --
> that identifies the SA to be applied when protecting the data.
>
> Perhaps my confusion over the other questions will be clarified
> when the inability of SAIs to identify SAs is explained.
>
> All the best,
>
> .Ralph
>
> Kevin D Butt wrote:
> >
> > IBM is looking at what would be required to protect a data in buffer
> > with an SA.  There is an ESP-SCSI defined for parameter in data but no
> > method for selecting which SA to use to protect it.  How does the
> > application client tell the device server which SA to use?	Since
> > there are no SAI fields in the CDB's for the commands that request the
> > data we are looking to protect, we don't see how to do this.
> >
> > Has anybody thought about this yet?
> >
> > Thanks,
> >
> > Kevin D. Butt
> > SCSI & Fibre Channel Architect, Tape Firmware
> > MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
> > Tel: 520-799-5280
> > Fax: 520-799-2723 (T/L:321)
> > Email address: kdbutt at us.ibm.com
> > http://www-03.ibm.com/servers/storage/
>
> *
> * For T10 Reflector information, send a message with
> * 'info t10' (no quotes) in the message body to majordomo at t10.org
>
>
*
* For T10 Reflector information, send a message with
* 'info t10' (no quotes) in the message body to majordomo at t10.org



More information about the T10 mailing list