SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI: U=<user> in Authentication



    > You would certainly want the end-user or administrator to have the
    > capability of not entering the UserID if it is the same as 
    > the iSCSI Node Name.
    
    Sounds like a simple checkbox in a management GUI, or a switch on
    a command line or ...
    
    > I just think it would be useful and simpler, to include in our
    > documentation a statement that says that the Default for U=<user> or N
    > =<name> etc., if not entered, is the iSCSI Initiator Node Name.
    
    I disagree - all the authentication parameters need to be present,
    and management tools are quite capable of doing a string copy.
    
    --David
    
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    black_david@emc.com       Mobile: +1 (978) 394-7754
    ---------------------------------------------------
    
    > -----Original Message-----
    > From: John Hufferd [mailto:hufferd@us.ibm.com]
    > Sent: Thursday, September 20, 2001 2:45 PM
    > To: CONGDON,PAUL (HP-Roseville,ex1)
    > Cc: ietf-ips; 'Steve Senum'
    > Subject: RE: iSCSI: U=<user> in Authentication
    > 
    > 
    > 
    > Paul, Steve,
    > I understand your point, however, with duplication you often 
    > cause hard to
    > detect errors.  Often I have looked at two similar strings 
    > and have had
    > difficulty in seeing minor differences in them.  When 
    > administrators, or
    > end-users are the ones that are attempting to enter what 
    > maybe very long
    > strings (in the case of iSCSI Initiator Node Names), you can 
    > imagine the
    > finger checks maybe an important problem.
    > 
    > Also if you think through the process of how a UserID is 
    > obtained, by the
    > Initiator, you see that it is the end-user/administrator that 
    > must enter
    > the value.
    > 
    > You would certainly want the end-user or administrator to have the
    > capability of not entering the UserID if it is the same as 
    > the iSCSI Node
    > Name.  In this case, a good implementation (if the UserID is 
    > not entered)
    > will include code to find and replicate the iSCSI Initiator 
    > Node Name as a
    > UserID.  Again, this is not a hard problem, just another 
    > thing to handle.
    > 
    > I just think it would be useful and simpler, to include in our
    > documentation a statement that says that the Default for U=<user> or N
    > =<name> etc., if not entered, is the iSCSI Initiator Node Name.
    > 
    > 
    > .
    > .
    > .
    > John L. Hufferd
    > Senior Technical Staff Member (STSM)
    > IBM/SSG San Jose Ca
    > Main Office (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
    > Home Office (408) 997-6136
    > Internet address: hufferd@us.ibm.com
    > 
    > 
    > "CONGDON,PAUL (HP-Roseville,ex1)" <paul_congdon@hp.com> on 09/20/2001
    > 10:13:57 AM
    > 
    > To:   "'Steve Senum'" <ssenum@cisco.com>, John Hufferd/San 
    > Jose/IBM@IBMUS
    > cc:   ietf-ips <ips@ece.cmu.edu>
    > Subject:  RE: iSCSI: U=<user> in Authentication
    > 
    > 
    > 
    > 
    > I agree with Steve here.  The most likely deployment will be to use
    > InitiatorName as UserID whenever possible, but it doesn't 
    > seem necessary to
    > force that or allow the option to omit a name in one phase or another.
    > 
    > Paul
    > 
    > -----Original Message-----
    > From: Steve Senum [mailto:ssenum@cisco.com]
    > Sent: Thursday, September 20, 2001 9:38 AM
    > To: John Hufferd
    > Cc: ietf-ips
    > Subject: Re: iSCSI: U=<user> in Authentication
    > 
    > 
    > John,
    > 
    > My opinion on this is:
    > 
    > What you are calling the UserID (i.e., U=<name>
    > for SRP, N=<name> for CHAP), could be the same
    > as the iSCSI Initiator Name, but it should not
    > be required to be so.
    > 
    > I see the N=<name> within CHAP (or U=<name> for SRP)
    > being used for authentication, the process of verifying the
    > Initiator is who it claims to be.  I also see it as
    > an integral part of the chosen AuthMethod.
    > 
    > I see the InitiatorName=<name> being used for
    > authorization, the process of verifying what
    > resources the Initiator can access.
    > 
    > There are two reasons I can think of that
    > the two names would be different:
    > 
    > 1. The particular AuthMethod, or the implementation
    > of some third party authentication server, might
    > restrict what form a name can take that is not
    > compatible with iSCSI naming.
    > 
    > 2. A group of Initiators might be configured to
    > use the same name for authentication purposes,
    > simply because they are being managed as a group
    > for authentication purposes.
    > 
    > Steve Senum
    > 
    > John Hufferd wrote:
    > >
    > > OK then Steve, and others  I would be interested in your 
    > answers to the
    > > following questions:
    > >
    > > If the UserID is exactly the same as the iSCSI Initiator 
    > Name, why would
    > it
    > > be entered again?
    > >
    > > If the UserID is different, why was the iSCSI initiator 
    > Name required?
    > It
    > > is only used as:
    > > 1. A unique string that can ensure that the full Session 
    > identification
    > is
    > > unique, The UserID can do that.
    > > 2. As an Authentication String.   The UserID can do that.
    > >
    > > If the same users wants access to different storage from different
    > systems,
    > > that user can have a unique UserID for each system.
    > >
    > > If the User wants the same storage access from different systems,
    > serially,
    > > then that user can use the same UserID on each system.
    > >
    > > So is the UserID a substitute for iSCSI Initiator Name?
    > >
    > > .
    > > .
    > > .
    > > John L. Hufferd
    > > Senior Technical Staff Member (STSM)
    > > IBM/SSG San Jose Ca
    > > Main Office (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
    > > Home Office (408) 997-6136
    > > Internet address: hufferd@us.ibm.com
    > >
    > > Steve Senum <ssenum@cisco.com>@ece.cmu.edu on 09/19/2001 03:27:08 PM
    > >
    > > Sent by:  owner-ips@ece.cmu.edu
    > >
    > > To:   ietf-ips <ips@ece.cmu.edu>
    > > cc:
    > > Subject:  Re: iSCSI: U=<user> in Authentication
    > >
    > > I don't think it should be possible to omit
    > > the usernames for AuthMethods SRP and CHAP.
    > >
    > > On the SRP and CHAP key names, I am mostly netural,
    > > though I would prefer ChapId instead of ChapID.
    > > Since they are AuthMethod specific though, I don't
    > > really see the need to change them.
    > >
    > > Steve Senum
    > >
    > > "CONGDON,PAUL (HP-Roseville,ex1)" wrote:
    > > >
    > > > I agree that more clarification regarding how to 
    > associate SCSI Names
    > > with
    > > > user identities should be provided.  I'm not sure if I 
    > agree that it
    > > should
    > > > be possible to omit the names entirely - however.  This 
    > would provide
    > > > another optional way to approach the exchange (may 
    > provide or may not)
    > > which
    > > > adds complexity to this portion of the code, more test cases, more
    > > > unnecessary options, etc..  As you've mentioned it may also be
    > different
    > > > depending upon the authentication method in use. There is 
    > certainly
    > room
    > > for
    > > > improvement here.
    > > >
    > > > I have a bit of a gripe about the key=value pairs during 
    > authentication
    > > > phase in general.  First of all, the key names are not very
    > descriptive,
    > > > which defeats the purpose of using Text keys in the first 
    > place (in my
    > > > opinion).  Secondly and more importantly, there are key 
    > values that are
    > > not
    > > > unique and depend upon what authentication method is in 
    > progress in
    > order
    > > to
    > > > decode/parse them.  For example, A=5 in CHAP for 
    > algorithm selection is
    > > > completely different that A=2345 in SRP.  Also 
    > N=initiatorName in CHAP
    > is
    > > > totally different than N=5678 in SRP.   It would be much 
    > easier if the
    > > text
    > > > command parser didn't have to consider what 
    > authentication method was
    > > > running and that all key values were unique.  Thus I 
    > propose making the
    > > > following name changes to CHAP and SRP key values.  I'm not too
    > concerned
    > > > about the exact key names used, just that they are 
    > somewhat descriptive
    > > and
    > > > unique.
    > > >
    > > > CHAP Key Values
    > > >
    > > > Old         New
    > > > ---         --------
    > > > A           ChapAlgorithm
    > > > I           ChapID
    > > > N           ChapUser
    > > > C           ChapChallenge
    > > > R           ChapResponse
    > > >
    > > > SRP Key Values
    > > >
    > > > Old             New
    > > > ---             ---
    > > > U               SrpUser
    > > > N               SrpSafePrime
    > > > g               SrpGenerator
    > > > s               SrpSalt
    > > > A               SrpPubKeyA
    > > > B               SrpPubKeyB
    > > > M               SrpSessionKey
    > > > HM              SrpKeyProof
    > > >
    > > > Paul
    > > >
    > > > +------------------------------------------+
    > > > Paul Congdon
    > > > HP ProCurve Networking
    > > > Hewlett Packard Company
    > > > 8000 Foothills Blvd - M/S 5662
    > > > Roseville, CA   95747
    > > > phone: 916-785-5753
    > > > email: paul_congdon@hp.com
    > > > +------------------------------------------+
    > > >
    > > > -----Original Message-----
    > > > From: John Hufferd [mailto:hufferd@us.ibm.com]
    > > > Sent: Tuesday, September 18, 2001 6:22 PM
    > > > To: Julian Satran; Ofer_Biran/Haifa/IBM%IBMUS; mbakke@cisco.com;
    > > > jtseng@NishanSystems.com
    > > > Cc: ips@ece.cmu.edu
    > > > Subject: iSCSI: U=<user> in Authentication
    > > >
    > > > Folks,
    > > > I think we should indicate in the Security section of the 
    > document how
    > > the
    > > > security Authentication process might validate that the 
    > iSCSI Initiator
    > > > Name sent in the Initial Login, has something approprate 
    > to do with the
    > > > "user" being authenticated.  (Otherwise, you could 
    > authenticate a user
    > > and
    > > > that user could claim/use any iSCSI Initiator Name in the 
    > InitiatorName
    > > > key=value pair.
    > > >
    > > > It is kind of obvious how to relate the U=<user> to the approprate
    > iSCSI
    > > > Initiator Name (in the case of SRP), and little less 
    > obvious with Chap,
    > > > though I think it would be the N=<N> parameter.  However, 
    > it is really
    > > not
    > > > obvious when using Kerberos, and SPKM.
    > > >
    > > > It also should be possible for the initiator not to send another
    > UserID,
    > > if
    > > > the Security Data Base the customer uses can support the iSCSI
    > Initiator
    > > > Name as a UserID.  That is, it should be possible for the U=<user>
    > > > parameter not to be sent,and have that  imply  the value 
    > of <user> is
    > the
    > > > iSCSI Initiator Node Name entered previously as a value in the
    > > InitiaorName
    > > > key=value pair. Same way with the N=<N> in Chap.
    > > >
    > > > However, it is not clear, how you do similar things with 
    > Kerberos, and
    > > > SPKM.
    > > >
    > > > What do you folks think about this, and how should we document it?
    > > >
    > > > .
    > > > .
    > > > .
    > > > John L. Hufferd
    > > > Senior Technical Staff Member (STSM)
    > > > IBM/SSG San Jose Ca
    > > > Main Office (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
    > > > Home Office (408) 997-6136
    > > > Internet address: hufferd@us.ibm.com
    > 
    > 
    > 
    


Home

Last updated: Thu Sep 20 21:17:20 2001
6651 messages in chronological order