SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    iSCSI: CHAP



    
    Julian:
    
    Section 10.5 is written in terms of initiator and target, rather
    than originator and responder as in section 7.2.1.  I believe this
    is intentional (i.e., that section 10.5 is NOT supposed to be
    written in terms of originator and responder).
    
    Because the use of CHAP in Appendix C is illustrated only with
    the initiator offering the AuthMethod key, I would like to verify
    that the following is a correct security negotiation sequence
    when it is the target, not the initiator, that first offers the
    AuthMethod key (this scenario ignores the other keys that may be
    required, such as InitiatorName, TargetName, etc., and assumes
    they are sent as required):
    
    1.  I-> Login (CSG,NSG=0,1 T=1) no AuthMethod key
    2.  T-> Login-PR (CSG,NSG=0,0 T=0) AuthMethod=CHAP,SRP
    3a. I-> Login (CSG,NSG=0,0 T=0) AuthMethod=CHAP
    4a. T-> Login-PR (CSG,NSG=0,0 T=0) CHAP_A=4,5,7
    5a. I-> Login (CSG,NSG=0,0 T=0) CHAP_A=5
    6a. T-> Login-PR (CSG,NSG=0,0 T=0) CHAP_I=<i1> CHAP_C=<c1>
    7a. I-> Login (CSG,NSG=0,1 T=1) CHAP_N=<n1> CHAP_R=<r1>
    8a. T-> Login-FR (CSG,NSG=0,1 T=1) no keys
    and security negotiation phase is now completed successfully
    
    In particular, the first challenge, in step 6 above, always has to
    be from the Target to the Initiator.  Is this correct?
    
    Is it possible or preferable or required to collapse steps 3 through
    6 above into just 2 steps?
    
    3b. I-> Login (CSG,NSG=0,0 T=0) AuthMethod=CHAP CHAP_A=4,5,7
    4b. T-> Login-PR (CSG,NSG=0,0 T=0) CHAP_A=5 CHAP_I=<i1> CHAP_C=<c1>
    and then the next step would be 7.
    
    This would have the effect of having the target offer the security
    method (CHAP,SRP) but the initiator offering the algorithm (4,5,7).
    Is this allowed?
    
    
    As written above, Step 7a does not perform target authentication.
    To do so, this step would be rewritten as:
    
    7b. I-> Login (CSG,NSG=0,0 T=0) CHAP_N=<n1> CHAP_R=<r1> CHAP_I=<i1> CHAP_C=<c2>
    
    in which case the continuation would then be:
    
    8b. T-> Login-FR (CSG,NSG=0,1 T=1) CHAP_N=<n2> CHAP_R=<r2>
    
    One final question -- although the target can force authentication as
    shown above, and thereby gets to challenge the initiator, there appears
    to be no way the target can force the initiator to challenge it.
    In other words, if the initiator sends 7a above (no target challenge),
    and the target wanted to see 7b, there is nothing the target can do
    except send back a Login-Reject.  Correct?
    
    If this is correct, what Status code should be in the Login-Reject?
    It cannot be 0201 Authentication Failure, because the initiator may
    have been successfully authenticated.  Is the correct response Status
    0202 Authorization Failure or Status 0200 Miscellaneous iSCSI initiator
    error or does it matter?
    
    Thank you.
    
    Bob Russell
    InterOperability Lab
    University of New Hampshire
    rdr@iol.unh.edu
    603-862-3774
    
    


Home

Last updated: Sun Aug 04 05:18:56 2002
11529 messages in chronological order