RE: iSCSI: security questions

To: <ips@ece.cmu.edu>
Subject: RE: iSCSI: security questions
From: "Lee Xing" <lxing@Crossroads.com>
Date: Wed, 14 Nov 2001 11:51:45 -0600
content-class: urn:content-classes:message
Content-Transfer-Encoding: 8bit
Content-Type: text/plain;charset="iso-8859-1"
Disposition-Notification-To: "Lee Xing" <lxing@Crossroads.com>
Sender: owner-ips@ece.cmu.edu
Thread-Index: AcFtKEDcNWze4gUwSqiUB8rbPfVeGwAAY31w
Thread-Topic: iSCSI: security questions

Ofer,

Thanks for the info.  Please see my comments below.

Regards,


Lee Xing
Crossroads Systems, Inc.
=============================
Lee,

Sorry if I wasn't clear enough. All I was trying to say is
that the statement "the connection closes if either side requires
authentication and no mutually acceptable algorithm can be agreed upon"
is OK since "requires authentication" for the initiator means that he
doesn't offer "none", and "requires authentication" for the target
means that he is not ready to accept "none". The example you gave
is acceptable (as the iSCSI login examples) but doesn't pass the
"if either side requires authentication" condition, so closing
of connection is not implied by it.

+ Let's consider a Login Phase Example:
+
+ I-> Login (CSG,NSG=0,1 T=1)
+     ...
+     AuthMethod=KRB5,SRP,none
+
+ T-> Login-PR (CSG,NSG=0,1 T=1)
+     ...
+     AuthMethod=none
+            
+ does "CSG=0" mean that the initiator "requires
+ authentication"?  If it does, is "none" in Login 
+ AuthMethod list a legal value to have?  If it is,
+ is "none" in Login-PR AuthMethod list a legal value
+ to have even though the target "requires authentication"?
+ If it is, should the connection closes, or should the
+ initiator continue with next Login Stage?  If it 
+ should continue with next Login Stage, then should
+ we reword the paragraph in SEC-IPS v.04?
+ 


  Regards,
    Ofer

Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com  972-4-8296253


"Lee Xing" <lxing@Crossroads.com>@ece.cmu.edu on 14/11/2001 17:17:41

Please respond to "Lee Xing" <lxing@Crossroads.com>

Sent by:  owner-ips@ece.cmu.edu


To:   <ips@ece.cmu.edu>
cc:
Subject:  RE: iSCSI: security questions



Ofer,

Thanks for the info.  Please see my comments bellow.

Regards,


Lee
Crossroads Systems, Inc.

================
Q3:
SEC-IPS v.04, page 11 "Negotiation between Initiator and Target is used
to determine which authentication algorithm to use (or whether to use
one at all); the connection closes if either side requires
authentication and no mutually acceptable algorithm can be agreed upon"

The question is whether "none" is considered as an "acceptable
algorithm".  In other words, if initiator asks
"AuthMethod=KRB5,SRP,none" during login, and target answers
"AuthMethod=none", should the connection be closed, or should the
initiator continue with LoginOperationalNegotiation stage?  If latter is
acceptable, should we reword the last sentence like "...and no mutually
acceptable algorithm or "none" can be agreed upon"?

+ "if either side requires authentication" rules out your example,
+ because by suggesting "none" and choosing "none" no side required
+ authentication.

# In iSCSI v.08, there are quite a few Login Phase
# Examples which use "AuthMethod=KRB5,SRP,...,none".
# I'm not sure which one (the Login Phase Examples, or
# your comments) is more appropriate.

Prev by Date: Re: iSCSI: data and data sequences for Read
Next by Date: RE: Application for port-number (3260)
Prev by thread: RE: iSCSI: security questions
Next by thread: RE: iSCSI: security questions
Index(es):
- Date
- Thread

Home

Last updated: Thu Nov 15 13:17:53 2001
7821 messages in chronological order