SSC-3: Comments to 05-446r3

Kevin D Butt kdbutt at us.ibm.com
Wed Jan 25 10:40:38 PST 2006


* From the T10 Reflector (t10 at t10.org), posted by:
* Kevin D Butt <kdbutt at us.ibm.com>
*
This is a multipart message in MIME format.
--=_alternative 0066734F07257101_=
Content-Type: text/plain; charset="US-ASCII"

All,

Here are my comments about 05-446r3.  I would like to discuss at least the 
technical ones in todays phone conference.

Editorial:

Page 4, Editors Note: <<delete the word "INCORRECT">>
Page 6, first sentence: I_T NEXES s/b I_T NEXUS
Page 14 six places: "this I_T Nexus" s/b "the I_T Nexus on which this 
command was received"
Page 14 two places: "another I_T Nexus" s/b "an I_T Nexus other than the 
one on which this command was received"
Page 15, last  paragraph (also page 22, sixth paragraph) states the for 
the A-KAD the AUTHENTICATION field shall be set to zero.  Why is it set to 
zero? 

Technical:

Page 19, Table Y2, Description for PUBLIC should say that the SCOPE field 
is the only value that applies.  More than just hte mode and key are 
ignored.

Page 20, top of page, the order of precedence list is incorrect. 
Change
<<
The data encryption mode and key that shall be used for an I_T nexus shall 
be established by the
following order of precedence:
1. If the scope for the I_T nexus is not PUBLIC, the values set by a 
SECURITY PROTOCOL OUT
command associated with the I_T nexus; or
2. If the scope for the I_T nexus is PUBLIC:
1) If the I_T nexus is participating in a reservation for the logical 
unit, the values set by another
participant in the reservation with a scope of RESERVATION GROUP;
2) the values set by another I_T nexus with a scope of ALL I_T NEXUS; or
3) the default values.
>>
to
<<
The data encryption mode and key that shall be used for an I_T nexus shall 
be established by the
following:
a) If the SCOPE field is set to LOCAL the scope is LOCAL and the data 
encryption values used are those sent in this command;
b) If the SCOPE field is set to RESERVATION GROUP the scope is RESERVATION 
GROUP and the data encryption values used are those sent in this command;
c) If the SCOPE field is set to  ALL I_T NEXUS the scope is ALL I_T NEXUS 
and the data encryption values used are those sent in this command; or
d) If the SCOPE field is set to PUBLIC then it shall use the following 
order of precedence to determine the data encryption values:
     1) If the I_T nexus is participating in a reservation for the logical 
unit, the values set by another
          participant in the reservation with a scope of RESERVATION 
GROUP;
     2) the values set by another I_T nexus with a scope of ALL I_T NEXUS; 
or
     3) the default values.
>>

Page 19 & 20: Related to the scope there are a series of questions:
1) How is it known who is the master I_T Nexus (i.e. who sets the values) 
on RESERVATION GROUP and ALL I_T NEXUS? 
2) Is there are way to query who has set up the values? 
3) Additionally, can you select RESERVATION GROUP or ALL I_T NEXUS without 
senting a key?  If not, then every I_T Nexus participationg will preempt a 
previous.
4) I guess that all the other I_T nexus besides the one that set the 
encryption values are set to PUBLIC.
5) I think that this is complex enough that a diagram would be very 
helpful in understanding how the scopes relate.

Page 20, Table Y3 - ENCRYPTION MODE field values.  We need to add another 
value called EXTERNAL WITH VERIFY (or something similar).  This would be 
used by application clients who wish to copy data read RAW from on tape to 
another and pass a key to the writing device to verify the data is valid 
and can be read at a later date.  The reason for this mode is to allow the 
raw copy without presenting the encrypted data in the clear for the copy 
process.  Copies are desired where the data is still encrypted.  The 
validation that it will be readable later is important.

Page 22, fourth paragraph, fourth line from bottom:
Change << If the ENCRYPTION MODE field is not set to ENCRYPT and 
key-associated descriptors ...>> 
To << If the ENCRYPTION MODE field is not set to ENCRYPT or EXTERNAL WITH 
VERIFY and key-associated descriptors ...>>

Thanks,

Kevin D. Butt
Fibre Channel & SCSI Architect, IBM Tape Firmware, 
6TYA, 9000 S. Rita Rd., Tucson, AZ  85744
Tie-line 321; Office: 520-799-5280, Lab: 799-5751, Fax: 799-4138, Email: 
kdbutt at us.ibm.com
--=_alternative 0066734F07257101_=
Content-Type: text/html; charset="US-ASCII"


<br><font size=2 face="sans-serif">All,</font>
<br>
<br><font size=2 face="sans-serif">Here are my comments about 05-446r3.
&nbsp;I would like to discuss at least the technical ones in todays phone
conference.</font>
<br>
<br><font size=2 face="sans-serif"><b>Editorial:</b></font>
<br>
<br><font size=2 face="sans-serif">Page 4, Editors Note: <<delete
the word "INCORRECT">></font>
<br><font size=2 face="sans-serif">Page 6, first sentence: I_T NEXES s/b
I_T NEXUS</font>
<br><font size=2 face="sans-serif">Page 14 six places: "this I_T Nexus"
s/b "the I_T Nexus on which this command was received"</font>
<br><font size=2 face="sans-serif">Page 14 two places: "another I_T
Nexus" s/b "an I_T Nexus other than the one on which this command
was received"</font>
<br><font size=2 face="sans-serif">Page 15, last &nbsp;paragraph (also
page 22, sixth paragraph) states the for the A-KAD the AUTHENTICATION field
shall be set to zero. &nbsp;Why is it set to zero? </font>
<br>
<br><font size=2 face="sans-serif"><b>Technical:</b></font>
<br>
<br><font size=2 face="sans-serif">Page 19, Table Y2, Description for PUBLIC
should say that the SCOPE field is the only value that applies. &nbsp;More
than just hte mode and key are ignored.</font>
<br>
<br><font size=2 face="sans-serif">Page 20, top of page, the order of precedence
list is incorrect. </font>
<br><font size=2 face="sans-serif">Change</font>
<br><font size=2 face="sans-serif"><<</font>
<br><font size=2 face="sans-serif">The data encryption mode and key that
shall be used for an I_T nexus shall be established by the</font>
<br><font size=2 face="sans-serif">following order of precedence:</font>
<br><font size=2 face="sans-serif">1. If the scope for the I_T nexus is
not PUBLIC, the values set by a SECURITY PROTOCOL OUT</font>
<br><font size=2 face="sans-serif">command associated with the I_T nexus;
or</font>
<br><font size=2 face="sans-serif">2. If the scope for the I_T nexus is
PUBLIC:</font>
<br><font size=2 face="sans-serif">1) If the I_T nexus is participating
in a reservation for the logical unit, the values set by another</font>
<br><font size=2 face="sans-serif">participant in the reservation with
a scope of RESERVATION GROUP;</font>
<br><font size=2 face="sans-serif">2) the values set by another I_T nexus
with a scope of ALL I_T NEXUS; or</font>
<br><font size=2 face="sans-serif">3) the default values.</font>
<br><font size=2 face="sans-serif">>></font>
<br><font size=2 face="sans-serif">to</font>
<br><font size=2 face="sans-serif"><<</font>
<br><font size=2 face="sans-serif">The data encryption mode and key that
shall be used for an I_T nexus shall be established by the</font>
<br><font size=2 face="sans-serif">following:</font>
<br><font size=2 face="sans-serif">a) If the SCOPE field is set to LOCAL
the scope is LOCAL and the data encryption values used are those sent in
this command;</font>
<br><font size=2 face="sans-serif">b) If the SCOPE field is set to RESERVATION
GROUP the scope is RESERVATION GROUP and the data encryption values used
are those sent in this &nbsp; command;</font>
<br><font size=2 face="sans-serif">c) If the SCOPE field is set to &nbsp;ALL
I_T NEXUS the scope is ALL I_T NEXUS and the data encryption values used
are those sent in this command; or</font>
<br><font size=2 face="sans-serif">d) If the SCOPE field is set to PUBLIC
then it shall use the following order of precedence to determine the data
encryption values:</font>
<br><font size=2 face="sans-serif">&nbsp; &nbsp; &nbsp;1) If the I_T nexus
is participating in a reservation for the logical unit, the values set
by another</font>
<br><font size=2 face="sans-serif">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; participant
in the reservation with a scope of RESERVATION GROUP;</font>
<br><font size=2 face="sans-serif">&nbsp; &nbsp; &nbsp;2) the values set
by another I_T nexus with a scope of ALL I_T NEXUS; or</font>
<br><font size=2 face="sans-serif">&nbsp; &nbsp; &nbsp;3) the default values.</font>
<br><font size=2 face="sans-serif">>></font>
<br>
<br><font size=2 face="sans-serif">Page 19 &amp; 20: Related to the scope
there are a series of questions:</font>
<br><font size=2 face="sans-serif">1) How is it known who is the master
I_T Nexus (i.e. who sets the values) on RESERVATION GROUP and ALL I_T NEXUS?
&nbsp;</font>
<br><font size=2 face="sans-serif">2) Is there are way to query who has
set up the values? &nbsp;</font>
<br><font size=2 face="sans-serif">3) Additionally, can you select RESERVATION
GROUP or ALL I_T NEXUS without senting a key? &nbsp;If not, then every
I_T Nexus participationg will preempt a previous.</font>
<br><font size=2 face="sans-serif">4) I guess that all the other I_T nexus
besides the one that set the encryption values are set to PUBLIC.</font>
<br><font size=2 face="sans-serif">5) I think that this is complex enough
that a diagram would be very helpful in understanding how the scopes relate.</font>
<br>
<br><font size=2 face="sans-serif">Page 20, Table Y3 - ENCRYPTION MODE
field values. &nbsp;We need to add another value called EXTERNAL WITH VERIFY
(or something similar). &nbsp;This would be used by application clients
who wish to copy data read RAW from on tape to another and pass a key to
the writing device to verify the data is valid and can be read at a later
date. &nbsp;The reason for this mode is to allow the raw copy without presenting
the encrypted data in the clear for the copy process. &nbsp;Copies are
desired where the data is still encrypted. &nbsp;The validation that it
will be readable later is important.</font>
<br>
<br><font size=2 face="sans-serif">Page 22, fourth paragraph, fourth line
|from bottom:</font>
<br><font size=2 face="sans-serif">Change << If the ENCRYPTION MODE
field is not set to ENCRYPT and key-associated descriptors ...>>
</font>
<br><font size=2 face="sans-serif">To << If the ENCRYPTION MODE field
is not set to ENCRYPT or EXTERNAL WITH VERIFY and key-associated descriptors
...>></font>
<br>
<br><font size=2 face="sans-serif">Thanks,</font>
<br><font size=2 face="sans-serif"><br>
Kevin D. Butt<br>
Fibre Channel &amp; SCSI Architect, IBM Tape Firmware, <br>
6TYA, 9000 S. Rita Rd., Tucson, AZ &nbsp;85744<br>
Tie-line 321; Office: 520-799-5280, Lab: 799-5751, Fax: 799-4138, Email:
kdbutt at us.ibm.com</font>
--=_alternative 0066734F07257101_=--
*
* For T10 Reflector information, send a message with
* 'info t10' (no quotes) in the message body to majordomo at t10.org





More information about the T10 mailing list