SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: Auth method negotiation



    On Fri, 21 Jun 2002, Chirag Wighe wrote:
    
    > Hi
    >
    > In section 10.4 in Draft v13 it says
    > "The AuthMethod selection is followed by an "authentication exchange"
    > specific to the authentication method selected. "
    > Should the "is" be replaced by a "MUST" for any AuthMethod selection other
    > than "None"?
    
    Probably, though we could eliminate the "None" bit as there is no
    authentication exchange for "None."
    
    > As an example closely related to one in the Appendix.
    > If the login begins as
    >
    > I- Login (CSG,NSG=0,1 T=1)
    > InitiatorName=iqn.1999-07.com.os.hostid.77
    > TargetName=iqn.1999-07.com.acme.diskarray.sn.88
    > AuthMethod=KRB5,SRP,CHAP,None
    >
    > And the target chooses CHAP.
    > One question that I have is whether choosing CHAP implies the statement in
    > section 4.3
    > "Targets MUST NOT submit parameters that require an additional initiator
    > login request in a login response with the T bit set to 1."
    > So if the target chooses CHAP,  does it imply that it expects a CHAP_A
    > response and is not permitted to set the T bit to one even if the target is
    > not interested in authenticating the initiator.
    > So is the following reply illegal?
    > T- Login-PR (CSG,NSG=1,0 T=1)
    > AuthMethod=CHAP
    
    Note: you had CSG=0 in the request, but you had CSG=1 in the reply. Yes,
    it's illegal. :-)
    
    > If the above is not illegal, then if the initiator is also not interested
    > in authenticating the target, can the initiator transition to the next stage.
    
    I'm not sure, but I think so. If the response were CSG,NSG=0,1, then I
    think that's fine. Note that the initiator set the T bit, indicating it
    isn't interested in the target authenticating itself.  If the target also
    doesn't care about authentication, then the target knows they both don't
    want to authenticate. Thus it's safe to transition.
    
    > I realize that the above problem might only be a syntactic one as the
    > proper ordering of Auth Methods in the requests sent by the initiator not
    > interested in Authentication would be for None to precede other options and
    > the target will then choose None if it is also not interested in
    > authentication either.
    
    Hmmm...
    
    I'm not sure. What does everyone else think? If the T bits indicate that
    both sides are fine with skipping authentication, does AuthMethods matter?
    
    Take care,
    
    Bill
    
    


Home

Last updated: Fri Jun 21 19:18:39 2002
10930 messages in chronological order