|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: does iSCSI support CHAP challenges at random intervals?Dean- Re-authenticating a connection using CHAP is not allowed in iSCSI. However, the same thing can be accomplished by doing a relogin. If an initiator wants to re-authenticate, it can open a new iSCSI connection to replace the old one, then phase out the old one. If a target wants to re-authenticate, it can use the async message to request that the initiator log out of the connection within a certain period of time. This will work differently depending on whether single- or multiple- connection sessions are supported, but (at least with disk) can be made to work well in both cases. - Mark Dean Scoville wrote: > > The CHAP RFC (RFC 1994) allows the authenticator to send a new challenge to the peer at random intervals. I don't see any mention of this in the IPS Security document or the iSCSI Draft. In the iSCSI Draft, the CHAP keys are discussed in section 10 with regard to the Security Stage of Login, but are not mentioned in full feature phase. As far as iSCSI is concerned, is CHAP authentication a one-time occurance during login, or are new challenges also allowed/expected at random intervals during the life of the connection? If re-authentication is allowed, then an example would be helpful in the text (target initiates authentication via async msg requesting parameter negotiation, then issues CHAP_I CHAP_C challenge in response to empty text request pdu; or initiator initiates authentication via text request containing CHAP_A key, etc...). If it is not allowed, perhaps we should explicitly state this in the iSCSI draft and/or IPS Security document, since it is a difference betw! ee! > n iSCSI usage of CHAP and that allowed by the RFC. > thanks, > Dean Scoville > QLogic -- Mark A. Bakke Cisco Systems mbakke@cisco.com 763.398.1054
Home Last updated: Thu Aug 29 02:19:03 2002 11710 messages in chronological order |