SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: Auth method negotiation



    Hi
    
    I am sorry for the typo but I cut and paste from the spec. In the spec on 
    page 245 for example it says
    If the initiator authentication is successful, the target proceeds:
    T- Login (CSG,NSG=0,1 T=1)
    I- Login (CSG,NSG=1,0 T=0)
    ... iSCSI parameters
    T- Login (CSG,NSG=1,0 T=0)
    ... iSCSI parameters
    
    I did a search and there are several other 1,0 transitions in the spec.
    
    Anyway what I meant was what Bill intepreted it to be which was
    Login (CSG,NSG=0,1 T=1)
    InitiatorName=iqn.1999-07.com.os.hostid.77
    TargetName=iqn.1999-07.com.acme.diskarray.sn.88
    AuthMethod=KRB5,SRP,CHAP,None
    
    and the target replying
    T- Login-PR (CSG,NSG=0,1 T=1)
    AuthMethod=CHAP
    
    and then my other questions hopefully make more sense.
    
    Thanks
    Chirag
    
    
    
    
    
    At 01:14 PM 6/21/02, Bill Studenmund wrote:
    >On Fri, 21 Jun 2002, Chirag Wighe wrote:
    >
    > > Hi
    > >
    > > In section 10.4 in Draft v13 it says
    > > "The AuthMethod selection is followed by an "authentication exchange"
    > > specific to the authentication method selected. "
    > > Should the "is" be replaced by a "MUST" for any AuthMethod selection other
    > > than "None"?
    >
    >Probably, though we could eliminate the "None" bit as there is no
    >authentication exchange for "None."
    >
    > > As an example closely related to one in the Appendix.
    > > If the login begins as
    > >
    > > I- Login (CSG,NSG=0,1 T=1)
    > > InitiatorName=iqn.1999-07.com.os.hostid.77
    > > TargetName=iqn.1999-07.com.acme.diskarray.sn.88
    > > AuthMethod=KRB5,SRP,CHAP,None
    > >
    > > And the target chooses CHAP.
    > > One question that I have is whether choosing CHAP implies the statement in
    > > section 4.3
    > > "Targets MUST NOT submit parameters that require an additional initiator
    > > login request in a login response with the T bit set to 1."
    > > So if the target chooses CHAP,  does it imply that it expects a CHAP_A
    > > response and is not permitted to set the T bit to one even if the target is
    > > not interested in authenticating the initiator.
    > > So is the following reply illegal?
    > > T- Login-PR (CSG,NSG=1,0 T=1)
    > > AuthMethod=CHAP
    >
    >Note: you had CSG=0 in the request, but you had CSG=1 in the reply. Yes,
    >it's illegal. :-)
    >
    > > If the above is not illegal, then if the initiator is also not interested
    > > in authenticating the target, can the initiator transition to the next 
    > stage.
    >
    >I'm not sure, but I think so. If the response were CSG,NSG=0,1, then I
    >think that's fine. Note that the initiator set the T bit, indicating it
    >isn't interested in the target authenticating itself.  If the target also
    >doesn't care about authentication, then the target knows they both don't
    >want to authenticate. Thus it's safe to transition.
    >
    > > I realize that the above problem might only be a syntactic one as the
    > > proper ordering of Auth Methods in the requests sent by the initiator not
    > > interested in Authentication would be for None to precede other options and
    > > the target will then choose None if it is also not interested in
    > > authentication either.
    >
    >Hmmm...
    >
    >I'm not sure. What does everyone else think? If the T bits indicate that
    >both sides are fine with skipping authentication, does AuthMethods matter?
    >
    >Take care,
    >
    >Bill
    
    
    


Home

Last updated: Sat Jun 22 15:18:47 2002
10944 messages in chronological order