|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI: security questionsLee, Sorry if I wasn't clear enough. All I was trying to say is that the statement "the connection closes if either side requires authentication and no mutually acceptable algorithm can be agreed upon" is OK since "requires authentication" for the initiator means that he doesn't offer "none", and "requires authentication" for the target means that he is not ready to accept "none". The example you gave is acceptable (as the iSCSI login examples) but doesn't pass the "if either side requires authentication" condition, so closing of connection is not implied by it. Regards, Ofer Ofer Biran Storage and Systems Technology IBM Research Lab in Haifa biran@il.ibm.com 972-4-8296253 "Lee Xing" <lxing@Crossroads.com>@ece.cmu.edu on 14/11/2001 17:17:41 Please respond to "Lee Xing" <lxing@Crossroads.com> Sent by: owner-ips@ece.cmu.edu To: <ips@ece.cmu.edu> cc: Subject: RE: iSCSI: security questions Ofer, Thanks for the info. Please see my comments bellow. Regards, Lee Crossroads Systems, Inc. ================ Q3: SEC-IPS v.04, page 11 "Negotiation between Initiator and Target is used to determine which authentication algorithm to use (or whether to use one at all); the connection closes if either side requires authentication and no mutually acceptable algorithm can be agreed upon" The question is whether "none" is considered as an "acceptable algorithm". In other words, if initiator asks "AuthMethod=KRB5,SRP,none" during login, and target answers "AuthMethod=none", should the connection be closed, or should the initiator continue with LoginOperationalNegotiation stage? If latter is acceptable, should we reword the last sentence like "...and no mutually acceptable algorithm or "none" can be agreed upon"? + "if either side requires authentication" rules out your example, + because by suggesting "none" and choosing "none" no side required + authentication. # In iSCSI v.08, there are quite a few Login Phase # Examples which use "AuthMethod=KRB5,SRP,...,none". # I'm not sure which one (the Login Phase Examples, or # your comments) is more appropriate.
Home Last updated: Wed Nov 14 13:17:41 2001 7815 messages in chronological order |