|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI: 7.2.1 CHAP Considerations (12-98)Yes, my intent was to modify the draft text to include the "essential condition" described below. --David > -----Original Message----- > From: Steve Senum [mailto:ssenum@cisco.com] > Sent: Wednesday, June 12, 2002 6:14 PM > To: Black_David@emc.com > Cc: ips@ece.cmu.edu > Subject: Re: iSCSI: 7.2.1 CHAP Considerations (12-98) > > > David, > > What you state would be better, but that is > not what the current text (as of 12-98) says. > > Steve Senum > > Black_David@emc.com wrote: > > > > I think the essential condition here is that the > > "do not continue if secret is shorter than 96 bits" > > criteria should apply only to implementations that > > know and use the secret (i.e., generators of CHAP > > responses, and recipients of those responses that > > do their own verification as opposed to outsourcing > > that verification to something like a RADIUS server). > > > > Thanks, > > --David > > --------------------------------------------------- > > David L. Black, Senior Technologist > > EMC Corporation, 42 South St., Hopkinton, MA 01748 > > +1 (508) 249-6449 *NEW* FAX: +1 (508) 497-8500 > > black_david@emc.com Cell: +1 (978) 394-7754 > > --------------------------------------------------- > > > > > -----Original Message----- > > > From: Steve Senum [mailto:ssenum@cisco.com] > > > Sent: Wednesday, June 12, 2002 3:58 PM > > > To: Julian Satran > > > Cc: ietf-ips > > > Subject: Re: iSCSI: 7.2.1 CHAP Considerations (12-98) > > > > > > > > > Julian, > > > > > > In the case where an iSCSI Target is authenticating > > > an iSCSI Initiator, the Target sends a CHAP > > > challenge and identifier, and the Initiator sends > > > back a CHAP response and username. > > > > > > In the case were the Target is using the RADIUS > > > protocol, these four pieces of information are > > > sent by the Target to a RADIUS server, which > > > simply gives an accept or reject reply. The target > > > never has access to the CHAP secret (which is good), > > > hence no check can be made on its length. > > > > > > Regards, > > > Steve Senum > > > > > > Julian Satran wrote: > > > > > > > > can you elaborate? Julo > > > > > > > > Steve Senum <ssenum@cisco.com> > > > > Sent by: owner-ips@ece.cmu.edu To: ietf-ips > > > > <ips@ece.cmu.edu> > > > > 06/12/2002 09:32 PM cc: > > > > Please respond to Steve Senum Subject: > > > iSCSI: 7.2.1 CHAP > > > > Considerations (12-98) > > > > > > > > > > > > > > > > I have a concern over the wording of the > > > > following text from section 7.2.1 (12-98 version): > > > > > > > > When CHAP is used with secret shorter than 96 bits, > > > > a compliant implementation MUST NOT continue with > > > > the login unless it can verify that IPsec encryption > > > > is being used to protect the connection. > > > > > > > > I know the above is attempt to "put some teeth" into > > > > the requirements to make the use of CHAP secure, > > > > but I believe there are common cases where the > > > > length of the CHAP secret cannot be verified, such > > > > as when a RADIUS server is being used. > > > > > > > > Regards, > > > > Steve Senum > > > >
Home Last updated: Thu Jun 13 05:19:11 2002 10748 messages in chronological order |