RE: iSCSI extension algorithms (was no subject)

To: <Black_David@emc.com>
Subject: RE: iSCSI extension algorithms (was no subject)
From: Bill Studenmund <wrstuden@wasabisystems.com>
Date: Thu, 16 Jan 2003 13:50:34 -0800 (PST)
Cc: <ips@ece.cmu.edu>
Content-Type: TEXT/PLAIN; charset=US-ASCII
In-Reply-To: <277DD60FB639D511AC0400B0D068B71E0564C78F@corpmx14.us.dg.com>
Sender: owner-ips@ece.cmu.edu

On Thu, 16 Jan 2003 Black_David@emc.com wrote:

> It is also the case that in the absence of explicit administrative
> action, an implementation MUST NOT default to extension
> algorithms or to extension algorithms plus "None", and that in
> the absence of explicit administrative action, CHAP SHOULD be
> offered if an extension algorithm is offered.

But without administrative action (either to add CHAP names and
passphrases or to configure a RADIUS server), how can we offer CHAP?

To paraphrase Julian's other message, are we trying to make interoperable
implementations, or interoperable administators? If the adminsitrator
won't be interoperable, what should we do?

My concern is that the text we're talking about would make our
implementation not compliant.

The way we do security is you tie an authentication entry (which matches
an AUTH_MIB entry) describing an initiator to a target; that permits an
initiator (or initiators) with a matching name to use the target, if
security succeeds. The list of security methods the target will accept is
the union of security credentials in the auth entry. If there's a CHAP
entry, the target will do CHAP. If there's a None entry, we'll skip
security. If there's a Kerberos entry, we'll do Kerberos. If X-com.bar.foo
gets added and there's a X-com.bar.foo entry, we'll do X-com.bar.foo. We
of course then look at what the initiator wants to do, and we go with the
first one the initiator wants that is acceptable to us.

The point is that we won't do any form of security, neither ones listed in
the iSCSI draft nor ones added later, unless the administrator
specifically told us to.

So what do we do if the only credential in the entry is for X-com.bar.foo?
If it's there, it's there because the administrator put it there. If
nothing else is there, then the admin chose not to add anything else. We
can't do CHAP or anything else, since we don't have the credentials.

Would we be violating the spec if we didn't do CHAP in that case?

Take care,

Bill

References:
- RE: iSCSI extension algorithms (was no subject)
  - From: Black_David@emc.com

Prev by Date: Redirection (was UNH Plugfest 5)
Next by Date: RE: iSCSI extension algorithms (was no subject)
Prev by thread: RE: iSCSI extension algorithms (was no subject)
Next by thread: RE: iSCSI extension algorithms (was no subject)
Index(es):
- Date
- Thread

Home

Last updated: Thu Jan 16 18:18:59 2003
12194 messages in chronological order