Re: iSCSI Inband authentication (SRP/CHAP) - proposed resolution

To: Black_David@emc.com
Subject: Re: iSCSI Inband authentication (SRP/CHAP) - proposed resolution
From: "Ofer Biran" <BIRAN@il.ibm.com>
Date: Wed, 22 May 2002 06:07:23 +0300
Cc: ips@ece.cmu.edu
Content-type: text/plain; charset=us-ascii
Importance: Normal
Sender: owner-ips@ece.cmu.edu

David,

Just two comments (being on trip it went to the list  too fast for
me):

1.
"If the CHAP shared secret is weaker than 96 bits of cryptographic
randomness..."
All this par. actually tell you what to do when you disobey the
SHOULD in the par. above... ("the CHAP shared secret SHOULD
represent a cryptographically random quantity...") maybe it's OK
(because there are MUSTs here) but it's a bit unusual. This makes
it look like we accept this alternative way, so maybe that SHOULD
can go away (i.e., either 96/random or these IPsec conditions).

2.
"In order to provide mutual authentication and protect against rogue
Targets, CHAP authentication SHOULD be done in both directions..."
Mutual authentication is optional to use for all authentication
methods, and I don't see any reason to enforce it only in CHAP. This
is a change, it is not related to the CHAP problems discussed, and
I would not put it in suddenly now.


  Regards,
     Ofer




Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com  972-4-8296253

Prev by Date: Re: iSCSI: Login Request error
Next by Date: iSCSI: AsyncEvent Table
Prev by thread: Re: iSCSI Inband authentication (SRP/CHAP) - proposed resolution
Next by thread: RE: iSCSI Inband authentication (SRP/CHAP) - proposed resolution
Index(es):
- Date
- Thread

Home

Last updated: Wed May 22 11:18:36 2002
10198 messages in chronological order