Re: iSCSI: Kerb auth issue 1 - checksum

["Ofer Biran" <BIRAN@il.ibm.com>]

>> According to RFC1510 the server Kerberos implementation should
>> maintain a cache of client name/timestamp for a window of the
>> the allowable clock skew, this prevents a replay usage of
>> the authenticator. Telnet does not bind the connection either,
>> just the negotiation result (against m-i-m).

>I'm sorry, are you saying we don't need this?

In telnet m-i-m can take them down to no-encryption when the
negotiation result would have been encryption. Here there is
no negotiation result of that sort (well, we could have protected
the AuthMethod negotiation itself, against being taken down from
CHAP to Kerberos :-) but as I said with no IPsec m-i-m can hijack
the connection after login anyway.

For binding initiator/target/sessison_id/connection_id as you
suggested - the cache of client name/timestamp protects against
replaying the authenticator. Relying on such binding for not
implementing the cache (i.e., I already have this
sessison_id/connection_id from that initiator active, so it's a
replay) has a replay risk in scenario of connection time shorter
than the allowable clock skew of the authenticator timestamp
(beside going against RFC1510 requirements).


  Happy Chrismass !

   Ofer


Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com  972-4-8296253