RE: iSCSI Inband authentication (SRP/CHAP) - proposed resolution

[Black_David@emc.com]

Responding to Milan's concern, let me know if I get any of the
paraphrasing wrong:

[Milan Merhar]: It looks like the requirement for ESP to protect a CHAP
	exchange with a weak secret requires the entire resulting iSCSI
	session to be encrypted and use ESP integrity.

Close enough; I think it's just that connection and only integrity.
The encryption can probably be removed by negotiating a new SA that
doesn't encrypt and deleting the old one, but that still requires
ESP integrity.  Just deleting the SA doesn't work reliably because
it could easily result in black-holing packets.  IKE has no way to
check whether the other side will accept unprotected packets for
this TCP connection, and if it won't, then deletion of the SA
results in the packets being discarded.

I think this consequence is in the category of "ignoring a SHOULD
can have severe consequences".  There are doubtless ways to avoid
these consequences via discovery info handed out by SLP and/or iSNS,
but I can't see modifying those protocols to help out implementers
who ignore a SHOULD.

Thanks,
--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
black_david@emc.com         Cell: +1 (978) 394-7754
---------------------------------------------------