SA Usage Leakage

Ralph Weber roweber at IEEE.org
Fri Nov 7 17:49:36 PST 2008


Formatted message: <a href="r0811072_f.htm">HTML-formatted message</a>

Kevin,
Please feel free to write a proposal.
Since I disagree with the proposal, I will not write it.
Also note that the DS_SAI still cannot be reused until the time
that the SA would have expired. If this requirement is not met,
a newly created SA could be mistaken for a discarded old one.
All the best,
.Ralph
Kevin D Butt wrote:
>
> Ralph,
>
> As I understand it, the SA state is not tied to one initiator or 
> another.  Once it is created it uses the SAI to determine which SA to 
> use.	There is no way to determine if it was another initiator that 
> caused the info to be cleared.  This is a whole new concept where the 
> item in question (the SA) is not tied to any I_T nexus.  Creating a UA 
> for removing SA state information is not a good idea.  In fact it 
> could lead to all applications out there checking to see if the SA 
> they are using is still available.  This does not make sense to me. 
>  In fact, SPC-4 already states that if the SA Timer expires the state 
> information is discarded and there is no mention of creating a UA - 
> thankfully.  This situation is only slightly different.
>
> We still believe that:
> A) the DS needs to be able to clear space for a new SA
> B) no notification of lost SA should be reported to AC until the AC 
> attempts to use an SA
> C) the expected behaviors of the DS and the AC should be explicitly 
> stated in SPC-4 and be general (i.e., not tied to each usage defined 
> (e.g., ESP-SCSI))
> D) There should be a unique additional sense code for when an attempt 
> to use an unknown SAI is made (not just 5/2600 pointing to the SA field)
>
> Thanks,
>
> Kevin D. Butt
> SCSI & Fibre Channel Architect, Tape Firmware
> MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
> Tel: 520-799-2869 / 520-799-5280
> Fax: 520-799-2723 (T/L:321)
> Email address: kdbutt at us.ibm.com
> http://www-03.ibm.com/servers/storage/
>
>
> From: 	Ralph Weber <roweber at IEEE.org>
> To:	t10 at t10.org
> Date: 	10/31/2008 06:55 PM
> Subject:	Re: SA Usage Leakage
>
>
> ------------------------------------------------------------------------
>
>
>
> Kevin,
>
> Why is it better to have to define, establish, etc. a UA for
> SA CLEARED BY ANOTHER USER than to simply refuse to do that
> which cannot be done?
>
> Do not for a minute think that SCSI is going to allow
> SAs to be discarded without establishing a UA. That is
> simply not done.
>
> Either way there is a messy Denial of Service problem: UAs
> out the ying-yang or full frontal request rejection.
>
> Think about it!
>
> All the best,
>
> .Ralph
>
> Kevin D Butt wrote:
>
> I sent out a note on SA Usage Leakage a while back and then lost track 
> of this item.  David Black responded with "I don't see a problem with 
> this in
> principle.  The original IKEv2 allows state to be discarded at will."
>
> The original note is:
> ===========
> We have concerns related to SA usage leakage.  That is, it is possible 
> for application clients to create enough SA's in a device server - 
> with the timeout values long enough - that the device server is out of 
> resources to create another.	While the answer seems obvious - allow 
> the device server to implicitly abandon an SA for vendor-specific 
> reasons, there is no explicit mention of this in SPC-4 that we can 
> find.  If the DS is not allowed to implicitly abandon an SA, the opens 
> up the avenue for Denial of Service attacks - an attacker could use up 
> all the SA resources with maximum timeout values.
>
> Key points being:
> A) the DS needs to be able to clear space for a new SA
> B) no notification of lost SA should be reported to AC until the AC 
> attempts to use an SA
> C) the expected behaviors of the DS and the AC should be explicitly 
> stated in SPC-4 and be general (i.e., not tied to each usage defined 
> (e.g., ESP-SCSI))
> D) There should be a unique additional sense code for when an attempt 
> to use an unknown SAI is made
> ===========
> Also there should be a high-level statement/behavior in the usage 
> model about attempts to use an unknown SA (not just 5/2600 pointing to 
> the SA field).
>
> Does anybody disagree with this or agree that this would be a good 
> thing to do?
>
> Thanks,
>
> Kevin D. Butt
> SCSI & Fibre Channel Architect, Tape Firmware
> MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
> Tel: 520-799-2869 / 520-799-5280
> Fax: 520-799-2723 (T/L:321)
> Email address: _kdbutt at us.ibm.com_ _
> __http://www-03.ibm.com/servers/storage/_
>



More information about the T10 mailing list