[PATCH 1/6] nvmeof-tcp/001: simple test for nvmeof-tcp connection

Mon Nov 15 00:12:18 PST 2021

>> It is unclear to me why the separate directory is needed. But at least
>> call it something else if you must have it.
>>
>>> Especially as I still fail to see the actual use-case for using 
>>> in-band authentication _without_ encryption.
>>
>> Not sure what you mean. For the same use-case that iscsi chap exists
>> for. The secrets are pre-shared.
>>
> And that's the use case I don't really get; the authentication is done 
> only once during connection establishment, and then completely ignored
> for the remainder of the session.

I have a different view on this. Authentication isn't really related to
the datapath, but really only relevant to the queue establishment.

> 
>> Perhaps you can explain? My understanding is that the extension for
>> nvme-tcp TLS based auth is to avoid maintaining two sets of pre-shared
>> keys, i.e just maintain the TLS ones and not the dhchap ones. But maybe
>> I am missing something.
>>
> Yes, and no.
> Technically TLS is independent from authentication, and as such you can 
> 'just' use encryption.
> But if you want to have both there is the so-called secure 
> concatenation, which allows you to use the negotiated shared key from 
> authentication as PSK for TLS.

Well, TLS is a longer journey for a number of reasons which I won't
elaborate here.

> And that's where I think the real value lies for authentication; you 
> precisely do _not_ have to maintain two sets of keys.

I can't say I completely agree with you. There are means today to
encrypt data over the wire. Granted, it will negate possible data
reduction gains, but still a mitigation exists.

On the other hand, today any unauthenticated host can connect to
any fabrics controller, which is a problem. I don't think you should
minimize the magnitude of your contribution as this is a real issue
with nvmeof acceptance in enterprise environments.

I do agree that when TLS is used, it is indeed very useful to not
have to maintain two sets of pre-shared secrets, but I don't think
that there is no use-case for inband authentication in the absence
of TLS.

> 
>>> We could rename it to nvmeof-auth, though.
>>
>> or just add it as more tests under nvme (or create a subdirectory).
>>
> Sure we can. I just found it easier to create my own directory, 
> especially seeing that the nvme subdir has the largest number of tests 
> already.
> But if you prefer I can move it under the 'nvme' directory.

I think that it would definitely be an improvement, also because people
usually run the nvme directory tests which is nice and simple, we should
strive to keep it this way.