SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI: 7.2.1 CHAP Considerations (12-98)



    Yes, my intent was to modify the draft text to include the
    "essential condition" described below.  --David
    
    > -----Original Message-----
    > From: Steve Senum [mailto:ssenum@cisco.com]
    > Sent: Wednesday, June 12, 2002 6:14 PM
    > To: Black_David@emc.com
    > Cc: ips@ece.cmu.edu
    > Subject: Re: iSCSI: 7.2.1 CHAP Considerations (12-98)
    > 
    > 
    > David,
    > 
    > What you state would be better, but that is
    > not what the current text (as of 12-98) says.
    > 
    > Steve Senum
    > 
    > Black_David@emc.com wrote:
    > > 
    > > I think the essential condition here is that the
    > > "do not continue if secret is shorter than 96 bits"
    > > criteria should apply only to implementations that
    > > know and use the secret (i.e., generators of CHAP
    > > responses, and recipients of those responses that
    > > do their own verification as opposed to outsourcing
    > > that verification to something like a RADIUS server).
    > > 
    > > Thanks,
    > > --David
    > > ---------------------------------------------------
    > > David L. Black, Senior Technologist
    > > EMC Corporation, 42 South St., Hopkinton, MA  01748
    > > +1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
    > > black_david@emc.com         Cell: +1 (978) 394-7754
    > > ---------------------------------------------------
    > > 
    > > > -----Original Message-----
    > > > From: Steve Senum [mailto:ssenum@cisco.com]
    > > > Sent: Wednesday, June 12, 2002 3:58 PM
    > > > To: Julian Satran
    > > > Cc: ietf-ips
    > > > Subject: Re: iSCSI: 7.2.1 CHAP Considerations (12-98)
    > > >
    > > >
    > > > Julian,
    > > >
    > > > In the case where an iSCSI Target is authenticating
    > > > an iSCSI Initiator, the Target sends a CHAP
    > > > challenge and identifier, and the Initiator sends
    > > > back a CHAP response and username.
    > > >
    > > > In the case were the Target is using the RADIUS
    > > > protocol, these four pieces of information are
    > > > sent by the Target to a RADIUS server, which
    > > > simply gives an accept or reject reply.  The target
    > > > never has access to the CHAP secret (which is good),
    > > > hence no check can be made on its length.
    > > >
    > > > Regards,
    > > > Steve Senum
    > > >
    > > > Julian Satran wrote:
    > > > >
    > > > > can you elaborate? Julo
    > > > >
    > > > >   Steve Senum <ssenum@cisco.com>
    > > > >   Sent by: owner-ips@ece.cmu.edu         To:        ietf-ips
    > > > >                                  <ips@ece.cmu.edu>
    > > > >   06/12/2002 09:32 PM                    cc:
    > > > >   Please respond to Steve Senum          Subject:
    > > > iSCSI: 7.2.1 CHAP
    > > > >                                  Considerations (12-98)
    > > > >
    > > > >
    > > > >
    > > > > I have a concern over the wording of the
    > > > > following text from section 7.2.1 (12-98 version):
    > > > >
    > > > >    When CHAP is used with secret shorter than 96 bits,
    > > > >    a compliant implementation MUST NOT continue with
    > > > >    the login unless it can verify that IPsec encryption
    > > > >    is being used to protect the connection.
    > > > >
    > > > > I know the above is attempt to "put some teeth" into
    > > > > the requirements to make the use of CHAP secure,
    > > > > but I believe there are common cases where the
    > > > > length of the CHAP secret cannot be verified, such
    > > > > as when a RADIUS server is being used.
    > > > >
    > > > > Regards,
    > > > > Steve Senum
    > > >
    > 
    


Home

Last updated: Thu Jun 13 05:19:11 2002
10748 messages in chronological order