RE: iSCSI: security questions

To: "Lee Xing" <lxing@Crossroads.com>
Subject: RE: iSCSI: security questions
From: "Ofer Biran" <BIRAN@il.ibm.com>
Date: Wed, 14 Nov 2001 18:16:34 +0200
Cc: <ips@ece.cmu.edu>
Content-type: text/plain; charset=us-ascii
Importance: Normal
Sender: owner-ips@ece.cmu.edu

Lee,

Sorry if I wasn't clear enough. All I was trying to say is
that the statement "the connection closes if either side requires
authentication and no mutually acceptable algorithm can be agreed upon"
is OK since "requires authentication" for the initiator means that he
doesn't offer "none", and "requires authentication" for the target
means that he is not ready to accept "none". The example you gave
is acceptable (as the iSCSI login examples) but doesn't pass the
"if either side requires authentication" condition, so closing
of connection is not implied by it.

  Regards,
    Ofer

Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com  972-4-8296253


"Lee Xing" <lxing@Crossroads.com>@ece.cmu.edu on 14/11/2001 17:17:41

Please respond to "Lee Xing" <lxing@Crossroads.com>

Sent by:  owner-ips@ece.cmu.edu


To:   <ips@ece.cmu.edu>
cc:
Subject:  RE: iSCSI: security questions



Ofer,

Thanks for the info.  Please see my comments bellow.

Regards,


Lee
Crossroads Systems, Inc.

================
Q3:
SEC-IPS v.04, page 11 "Negotiation between Initiator and Target is used
to determine which authentication algorithm to use (or whether to use
one at all); the connection closes if either side requires
authentication and no mutually acceptable algorithm can be agreed upon"

The question is whether "none" is considered as an "acceptable
algorithm".  In other words, if initiator asks
"AuthMethod=KRB5,SRP,none" during login, and target answers
"AuthMethod=none", should the connection be closed, or should the
initiator continue with LoginOperationalNegotiation stage?  If latter is
acceptable, should we reword the last sentence like "...and no mutually
acceptable algorithm or "none" can be agreed upon"?

+ "if either side requires authentication" rules out your example,
+ because by suggesting "none" and choosing "none" no side required
+ authentication.

# In iSCSI v.08, there are quite a few Login Phase
# Examples which use "AuthMethod=KRB5,SRP,...,none".
# I'm not sure which one (the Login Phase Examples, or
# your comments) is more appropriate.

Prev by Date: RE: iSCSI: security questions
Next by Date: Re: iSCSI: data and data sequences for Read
Prev by thread: RE: iSCSI: security questions
Next by thread: RE: iSCSI: security questions
Index(es):
- Date
- Thread

Home

Last updated: Wed Nov 14 13:17:41 2001
7815 messages in chronological order