RE: iSCSI Inband authentication (SRP/CHAP) - proposed resolution

To: Black_David@emc.com
Subject: RE: iSCSI Inband authentication (SRP/CHAP) - proposed resolution
From: Paul Koning <ni1d@arrl.net>
Date: Thu, 23 May 2002 13:34:31 -0400
Cc: wrstuden@wasabisystems.com, ips@ece.cmu.edu
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <277DD60FB639D511AC0400B0D068B71E02937925@CORPMX14>
Sender: owner-ips@ece.cmu.edu

Excerpt of message (sent 23 May 2002) by Black_David@emc.com:
> [... various snips to focus on the SA replacement issue ...]
> 
> > > The encryption can probably be removed by negotiating a new SA that
> > > doesn't encrypt and deleting the old one, but that still requires
> > > ESP integrity.
> > 
> > Could we have a more complete example of this (SA changing in 
> > mid-stride)?
> 
> It is literally as described - the sender sets up a new SA, and deletes
> the old one.  These are done via IKE in the usual fashion.

Unfortunately, it's NOT the usual fashion.  It would be extremely
unusual, to say the least, for an IPsec implementation to be willing
to offer both encrypted and unencrypted SAs to the same destination.

It is probably true that the protocol permits it, but as Milan pointed
out, IPsec implementers will give you very funny looks if you suggest
this to them.

     paul

References:
- RE: iSCSI Inband authentication (SRP/CHAP) - proposed resolution
  - From: Black_David@emc.com

Prev by Date: Re: [iSCSI]: Key negotiation procedure proposal
Next by Date: RE: Flipped locations between d11 and d12.
Prev by thread: RE: iSCSI Inband authentication (SRP/CHAP) - proposed resolution
Next by thread: Test
Index(es):
- Date
- Thread

Home

Last updated: Thu May 23 14:18:27 2002
10256 messages in chronological order