iSCSI: CHAP

To: ips@ece.cmu.edu
Subject: iSCSI: CHAP
From: "Robert D. Russell" <rdr@io.iol.unh.edu>
Date: Sat, 3 Aug 2002 10:43:23 -0400 (EDT)
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-ips@ece.cmu.edu


Julian:

Section 10.5 is written in terms of initiator and target, rather
than originator and responder as in section 7.2.1.  I believe this
is intentional (i.e., that section 10.5 is NOT supposed to be
written in terms of originator and responder).

Because the use of CHAP in Appendix C is illustrated only with
the initiator offering the AuthMethod key, I would like to verify
that the following is a correct security negotiation sequence
when it is the target, not the initiator, that first offers the
AuthMethod key (this scenario ignores the other keys that may be
required, such as InitiatorName, TargetName, etc., and assumes
they are sent as required):

1.  I-> Login (CSG,NSG=0,1 T=1) no AuthMethod key
2.  T-> Login-PR (CSG,NSG=0,0 T=0) AuthMethod=CHAP,SRP
3a. I-> Login (CSG,NSG=0,0 T=0) AuthMethod=CHAP
4a. T-> Login-PR (CSG,NSG=0,0 T=0) CHAP_A=4,5,7
5a. I-> Login (CSG,NSG=0,0 T=0) CHAP_A=5
6a. T-> Login-PR (CSG,NSG=0,0 T=0) CHAP_I=<i1> CHAP_C=<c1>
7a. I-> Login (CSG,NSG=0,1 T=1) CHAP_N=<n1> CHAP_R=<r1>
8a. T-> Login-FR (CSG,NSG=0,1 T=1) no keys
and security negotiation phase is now completed successfully

In particular, the first challenge, in step 6 above, always has to
be from the Target to the Initiator.  Is this correct?

Is it possible or preferable or required to collapse steps 3 through
6 above into just 2 steps?

3b. I-> Login (CSG,NSG=0,0 T=0) AuthMethod=CHAP CHAP_A=4,5,7
4b. T-> Login-PR (CSG,NSG=0,0 T=0) CHAP_A=5 CHAP_I=<i1> CHAP_C=<c1>
and then the next step would be 7.

This would have the effect of having the target offer the security
method (CHAP,SRP) but the initiator offering the algorithm (4,5,7).
Is this allowed?


As written above, Step 7a does not perform target authentication.
To do so, this step would be rewritten as:

7b. I-> Login (CSG,NSG=0,0 T=0) CHAP_N=<n1> CHAP_R=<r1> CHAP_I=<i1> CHAP_C=<c2>

in which case the continuation would then be:

8b. T-> Login-FR (CSG,NSG=0,1 T=1) CHAP_N=<n2> CHAP_R=<r2>

One final question -- although the target can force authentication as
shown above, and thereby gets to challenge the initiator, there appears
to be no way the target can force the initiator to challenge it.
In other words, if the initiator sends 7a above (no target challenge),
and the target wanted to see 7b, there is nothing the target can do
except send back a Login-Reject.  Correct?

If this is correct, what Status code should be in the Login-Reject?
It cannot be 0201 Authentication Failure, because the initiator may
have been successfully authenticated.  Is the correct response Status
0202 Authorization Failure or Status 0200 Miscellaneous iSCSI initiator
error or does it matter?

Thank you.

Bob Russell
InterOperability Lab
University of New Hampshire
rdr@iol.unh.edu
603-862-3774

Prev by Date: Re: iSCSI consensus calls
Next by Date: RE: Invalid Pdus received during Login phase
Prev by thread: Re: iSCSI consensus calls
Next by thread: Re: iSCSI: CHAP
Index(es):
- Date
- Thread

Home

Last updated: Sun Aug 04 05:18:56 2002
11529 messages in chronological order