Re: [PATCH 1/6] nvmeof-tcp/001: simple test for nvmeof-tcp connection

[Hannes Reinecke <hare@suse.de>]

On 11/14/21 3:45 PM, Sagi Grimberg wrote:
> 
> 
> On 11/14/21 3:50 PM, Hannes Reinecke wrote:
>> On 11/14/21 11:31 AM, Sagi Grimberg wrote:
>>>
>>>> Signed-off-by: Hannes Reinecke <hare@suse.de>
>>>> ---
>>>>   tests/nvmeof-tcp/001     |  55 +++++++
>>>>   tests/nvmeof-tcp/001.out |   6 +
>>>>   tests/nvmeof-tcp/rc      | 347 
>>>> +++++++++++++++++++++++++++++++++++++++
>>>
>>> Why another directory? why nvmeof-tcp? what prevents inband-auth
>>> to be tested with loop/rdma?
>>>
>> Technically, nothing.
>> But as I'll be looking into tcp in-band _encryption_ as the next step 
>> I found it logical to have a disinct directory.
> 
> It is unclear to me why the separate directory is needed. But at least
> call it something else if you must have it.
> 
>> Especially as I still fail to see the actual use-case for using 
>> in-band authentication _without_ encryption.
> 
> Not sure what you mean. For the same use-case that iscsi chap exists
> for. The secrets are pre-shared.
> 
And that's the use case I don't really get; the authentication is done 
only once during connection establishment, and then completely ignored
for the remainder of the session.

> Perhaps you can explain? My understanding is that the extension for
> nvme-tcp TLS based auth is to avoid maintaining two sets of pre-shared
> keys, i.e just maintain the TLS ones and not the dhchap ones. But maybe
> I am missing something.
> 
Yes, and no.
Technically TLS is independent from authentication, and as such you can 
'just' use encryption.
But if you want to have both there is the so-called secure 
concatenation, which allows you to use the negotiated shared key from 
authentication as PSK for TLS.

And that's where I think the real value lies for authentication; you 
precisely do _not_ have to maintain two sets of keys.

>> We could rename it to nvmeof-auth, though.
> 
> or just add it as more tests under nvme (or create a subdirectory).
> 
Sure we can. I just found it easier to create my own directory, 
especially seeing that the nvme subdir has the largest number of tests 
already.
But if you prefer I can move it under the 'nvme' directory.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                Kernel Storage Architect
hare@suse.de                              +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Felix Imendörffer