|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI: security questionsOfer, Thanks for the info. Please see my comments below. Regards, Lee Xing Crossroads Systems, Inc. ============================= Lee, Sorry if I wasn't clear enough. All I was trying to say is that the statement "the connection closes if either side requires authentication and no mutually acceptable algorithm can be agreed upon" is OK since "requires authentication" for the initiator means that he doesn't offer "none", and "requires authentication" for the target means that he is not ready to accept "none". The example you gave is acceptable (as the iSCSI login examples) but doesn't pass the "if either side requires authentication" condition, so closing of connection is not implied by it. + Let's consider a Login Phase Example: + + I-> Login (CSG,NSG=0,1 T=1) + ... + AuthMethod=KRB5,SRP,none + + T-> Login-PR (CSG,NSG=0,1 T=1) + ... + AuthMethod=none + + does "CSG=0" mean that the initiator "requires + authentication"? If it does, is "none" in Login + AuthMethod list a legal value to have? If it is, + is "none" in Login-PR AuthMethod list a legal value + to have even though the target "requires authentication"? + If it is, should the connection closes, or should the + initiator continue with next Login Stage? If it + should continue with next Login Stage, then should + we reword the paragraph in SEC-IPS v.04? + Regards, Ofer Ofer Biran Storage and Systems Technology IBM Research Lab in Haifa biran@il.ibm.com 972-4-8296253 "Lee Xing" <lxing@Crossroads.com>@ece.cmu.edu on 14/11/2001 17:17:41 Please respond to "Lee Xing" <lxing@Crossroads.com> Sent by: owner-ips@ece.cmu.edu To: <ips@ece.cmu.edu> cc: Subject: RE: iSCSI: security questions Ofer, Thanks for the info. Please see my comments bellow. Regards, Lee Crossroads Systems, Inc. ================ Q3: SEC-IPS v.04, page 11 "Negotiation between Initiator and Target is used to determine which authentication algorithm to use (or whether to use one at all); the connection closes if either side requires authentication and no mutually acceptable algorithm can be agreed upon" The question is whether "none" is considered as an "acceptable algorithm". In other words, if initiator asks "AuthMethod=KRB5,SRP,none" during login, and target answers "AuthMethod=none", should the connection be closed, or should the initiator continue with LoginOperationalNegotiation stage? If latter is acceptable, should we reword the last sentence like "...and no mutually acceptable algorithm or "none" can be agreed upon"? + "if either side requires authentication" rules out your example, + because by suggesting "none" and choosing "none" no side required + authentication. # In iSCSI v.08, there are quite a few Login Phase # Examples which use "AuthMethod=KRB5,SRP,...,none". # I'm not sure which one (the Login Phase Examples, or # your comments) is more appropriate.
Home Last updated: Thu Nov 15 13:17:53 2001 7821 messages in chronological order |