|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI Inband authentication (SRP/CHAP) - proposed resolutionResponding to Milan's concern, let me know if I get any of the paraphrasing wrong: [Milan Merhar]: It looks like the requirement for ESP to protect a CHAP exchange with a weak secret requires the entire resulting iSCSI session to be encrypted and use ESP integrity. Close enough; I think it's just that connection and only integrity. The encryption can probably be removed by negotiating a new SA that doesn't encrypt and deleting the old one, but that still requires ESP integrity. Just deleting the SA doesn't work reliably because it could easily result in black-holing packets. IKE has no way to check whether the other side will accept unprotected packets for this TCP connection, and if it won't, then deletion of the SA results in the packets being discarded. I think this consequence is in the category of "ignoring a SHOULD can have severe consequences". There are doubtless ways to avoid these consequences via discovery info handed out by SLP and/or iSNS, but I can't see modifying those protocols to help out implementers who ignore a SHOULD. Thanks, --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 249-6449 *NEW* FAX: +1 (508) 497-8500 black_david@emc.com Cell: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Wed May 22 19:18:30 2002 10222 messages in chronological order |