|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] iSCSI: CHAPJulian: Section 10.5 is written in terms of initiator and target, rather than originator and responder as in section 7.2.1. I believe this is intentional (i.e., that section 10.5 is NOT supposed to be written in terms of originator and responder). Because the use of CHAP in Appendix C is illustrated only with the initiator offering the AuthMethod key, I would like to verify that the following is a correct security negotiation sequence when it is the target, not the initiator, that first offers the AuthMethod key (this scenario ignores the other keys that may be required, such as InitiatorName, TargetName, etc., and assumes they are sent as required): 1. I-> Login (CSG,NSG=0,1 T=1) no AuthMethod key 2. T-> Login-PR (CSG,NSG=0,0 T=0) AuthMethod=CHAP,SRP 3a. I-> Login (CSG,NSG=0,0 T=0) AuthMethod=CHAP 4a. T-> Login-PR (CSG,NSG=0,0 T=0) CHAP_A=4,5,7 5a. I-> Login (CSG,NSG=0,0 T=0) CHAP_A=5 6a. T-> Login-PR (CSG,NSG=0,0 T=0) CHAP_I=<i1> CHAP_C=<c1> 7a. I-> Login (CSG,NSG=0,1 T=1) CHAP_N=<n1> CHAP_R=<r1> 8a. T-> Login-FR (CSG,NSG=0,1 T=1) no keys and security negotiation phase is now completed successfully In particular, the first challenge, in step 6 above, always has to be from the Target to the Initiator. Is this correct? Is it possible or preferable or required to collapse steps 3 through 6 above into just 2 steps? 3b. I-> Login (CSG,NSG=0,0 T=0) AuthMethod=CHAP CHAP_A=4,5,7 4b. T-> Login-PR (CSG,NSG=0,0 T=0) CHAP_A=5 CHAP_I=<i1> CHAP_C=<c1> and then the next step would be 7. This would have the effect of having the target offer the security method (CHAP,SRP) but the initiator offering the algorithm (4,5,7). Is this allowed? As written above, Step 7a does not perform target authentication. To do so, this step would be rewritten as: 7b. I-> Login (CSG,NSG=0,0 T=0) CHAP_N=<n1> CHAP_R=<r1> CHAP_I=<i1> CHAP_C=<c2> in which case the continuation would then be: 8b. T-> Login-FR (CSG,NSG=0,1 T=1) CHAP_N=<n2> CHAP_R=<r2> One final question -- although the target can force authentication as shown above, and thereby gets to challenge the initiator, there appears to be no way the target can force the initiator to challenge it. In other words, if the initiator sends 7a above (no target challenge), and the target wanted to see 7b, there is nothing the target can do except send back a Login-Reject. Correct? If this is correct, what Status code should be in the Login-Reject? It cannot be 0201 Authentication Failure, because the initiator may have been successfully authenticated. Is the correct response Status 0202 Authorization Failure or Status 0200 Miscellaneous iSCSI initiator error or does it matter? Thank you. Bob Russell InterOperability Lab University of New Hampshire rdr@iol.unh.edu 603-862-3774
Home Last updated: Sun Aug 04 05:18:56 2002 11529 messages in chronological order |