SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI: security questions


    • To: <ips@ece.cmu.edu>
    • Subject: RE: iSCSI: security questions
    • From: "Lee Xing" <lxing@Crossroads.com>
    • Date: Wed, 14 Nov 2001 11:51:45 -0600
    • content-class: urn:content-classes:message
    • Content-Transfer-Encoding: 8bit
    • Content-Type: text/plain;charset="iso-8859-1"
    • Disposition-Notification-To: "Lee Xing" <lxing@Crossroads.com>
    • Sender: owner-ips@ece.cmu.edu
    • Thread-Index: AcFtKEDcNWze4gUwSqiUB8rbPfVeGwAAY31w
    • Thread-Topic: iSCSI: security questions

    Ofer,
    
    Thanks for the info.  Please see my comments below.
    
    Regards,
    
    
    Lee Xing
    Crossroads Systems, Inc.
    =============================
    Lee,
    
    Sorry if I wasn't clear enough. All I was trying to say is
    that the statement "the connection closes if either side requires
    authentication and no mutually acceptable algorithm can be agreed upon"
    is OK since "requires authentication" for the initiator means that he
    doesn't offer "none", and "requires authentication" for the target
    means that he is not ready to accept "none". The example you gave
    is acceptable (as the iSCSI login examples) but doesn't pass the
    "if either side requires authentication" condition, so closing
    of connection is not implied by it.
    
    + Let's consider a Login Phase Example:
    +
    + I-> Login (CSG,NSG=0,1 T=1)
    +     ...
    +     AuthMethod=KRB5,SRP,none
    +
    + T-> Login-PR (CSG,NSG=0,1 T=1)
    +     ...
    +     AuthMethod=none
    +            
    + does "CSG=0" mean that the initiator "requires
    + authentication"?  If it does, is "none" in Login 
    + AuthMethod list a legal value to have?  If it is,
    + is "none" in Login-PR AuthMethod list a legal value
    + to have even though the target "requires authentication"?
    + If it is, should the connection closes, or should the
    + initiator continue with next Login Stage?  If it 
    + should continue with next Login Stage, then should
    + we reword the paragraph in SEC-IPS v.04?
    + 
    
    
      Regards,
        Ofer
    
    Ofer Biran
    Storage and Systems Technology
    IBM Research Lab in Haifa
    biran@il.ibm.com  972-4-8296253
    
    
    "Lee Xing" <lxing@Crossroads.com>@ece.cmu.edu on 14/11/2001 17:17:41
    
    Please respond to "Lee Xing" <lxing@Crossroads.com>
    
    Sent by:  owner-ips@ece.cmu.edu
    
    
    To:   <ips@ece.cmu.edu>
    cc:
    Subject:  RE: iSCSI: security questions
    
    
    
    Ofer,
    
    Thanks for the info.  Please see my comments bellow.
    
    Regards,
    
    
    Lee
    Crossroads Systems, Inc.
    
    ================
    Q3:
    SEC-IPS v.04, page 11 "Negotiation between Initiator and Target is used
    to determine which authentication algorithm to use (or whether to use
    one at all); the connection closes if either side requires
    authentication and no mutually acceptable algorithm can be agreed upon"
    
    The question is whether "none" is considered as an "acceptable
    algorithm".  In other words, if initiator asks
    "AuthMethod=KRB5,SRP,none" during login, and target answers
    "AuthMethod=none", should the connection be closed, or should the
    initiator continue with LoginOperationalNegotiation stage?  If latter is
    acceptable, should we reword the last sentence like "...and no mutually
    acceptable algorithm or "none" can be agreed upon"?
    
    + "if either side requires authentication" rules out your example,
    + because by suggesting "none" and choosing "none" no side required
    + authentication.
    
    # In iSCSI v.08, there are quite a few Login Phase
    # Examples which use "AuthMethod=KRB5,SRP,...,none".
    # I'm not sure which one (the Login Phase Examples, or
    # your comments) is more appropriate.
    
    
    
    
    


Home

Last updated: Thu Nov 15 13:17:53 2001
7821 messages in chronological order