|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Regarding CSG and NSGOn Thu, 25 Jul 2002, BURBRIDGE,MATTHEW (HP-UnitedKingdom,ex2) wrote: > Sajjan, > > It depends whether the initiator has its T bit set. If T=0 then the > initiator is saying that it is security phase and is not yet ready to move > to the next phase (NSG=ignore: if T=0, NSG is reserved). This implies that > it does want to negotiate security (i.e. authentication). If T=1, it says > that is has no more security to negotiate and is ready to move to > operational phase (as NSG=1) when the target says it's ready. In the latter > of these two options (T=1,CSG=0,NSG=1) then the initiator is giving the > target chance to start authentication. > > Alternatively, if the initiator does not want to negotiate security it can > set CSG=1 in the initial login. This removes one message exchange if the > target does not want to negotiate security but runs the risk of receiving a > login failure if the target does want to negotiate security. If it wants to > negotiate parameters then: T=0,CSG=1,NSG=reserved. If it does not want to > negotiate text parameters then T=1, CSG=1, NSG=3. ?? If the initiator has a simple set of text parameters to negotiate (it has keys to offer and it offers them all at once; no keys that it waits for other keys on) it can offer all its keys and T=1, CSG=1, NSG=3. The negotiation can then close in one round trip with all keys negotiated. > In your example I am presuming that T=1 in 1). which is fine. Initiator is > giving the target the opportunity to negotiate security but does not wish to > start it itself. In 2), the T bit MUST be 0 as it can not be the final > login response. The target is informing the initiator that it is happy to > enter operational phase (CSG=1). As the T bit must be 0 in 2) NSG = > reserved. > > 1) Suppose the initiator sets T=1, CSG = 0 and NSG = 1 in login > request, and says requires no authentication. > > 2) Can the target set the CSG = 1 and NSG = full feature phase, in its > login response? NO > > It should be > > 2) Can the target set the T=0, CSG = 1 and NSG = reserved, in its login > response? Uhm, I think that one's wrong too. The target is supposed to return CSG == the CSG in the login request. So if the initiator had CSG=0 (line 1), then the target can't say CSG=1. Take care, Bill
Home Last updated: Tue Jul 30 10:39:08 2002 11481 messages in chronological order |