Re: iSCSI: keys/parameter dependence

To: Steve Senum <ssenum@cisco.com>
Subject: Re: iSCSI: keys/parameter dependence
From: Bill Studenmund <wrstuden@wasabisystems.com>
Date: Tue, 28 Jan 2003 11:15:40 -0800 (PST)
Cc: "Robert D. Russell" <rdr@io.iol.unh.edu>, Julian Satran <Julian_Satran@il.ibm.com>, <ips@ece.cmu.edu>
Content-Type: TEXT/PLAIN; charset=US-ASCII
In-Reply-To: <3E36A7B0.98D52B8D@cisco.com>
Sender: owner-ips@ece.cmu.edu

On Tue, 28 Jan 2003, Steve Senum wrote:

> Bob Russell,
>
> I think allowing keys to be distributed over several PDUs
> breaks the curent CHAP authentication sequence.  Consider:
>
>     I->T: CHAP_A=<A1,A2...>
>
>     T->I: CHAP_A=<A> CHAP_I=<I> CHAP_C=<C>
>
>     I->T: CHAP_N=<N> CHAP_R=<R>
>     OR
>     I->T: CHAP_N=<N> CHAP_R=<R> CHAP_I=<I> CHAP_C=<C>
>
> The target does not know how many keys to expect,
> so it would not know when the step is complete.
>
> I don't really see the point of allowing this anyway,
> as the user can already spread keys out over several PDUs
> with the C (Continue) bit.

Note that for CHAP we shouldn't need the C bit, since even with
CHAP_[ICNR] in one PDU, it should be less than 8k.

I also agree that we should not relax security negotiations here. Keeping
them rigid helps them complete quickly and clearly.

> I would however like to the see the key ordering issue
> clarified in the final edit, if possible.

That would be good.

Take care,

Bill

References:
- Re: iSCSI: keys/parameter dependence
  - From: Steve Senum <ssenum@cisco.com>

Prev by Date: RE: Ciphersuites for IKEv2
Next by Date: RE: iSCSI: keys/parameter dependence
Prev by thread: Re: iSCSI: keys/parameter dependence
Next by thread: Re: iSCSI: keys/parameter dependence
Index(es):
- Date
- Thread

Home

Last updated: Tue Jan 28 22:19:01 2003
12270 messages in chronological order