|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: keys/parameter dependenceSteve: > I think allowing keys to be distributed over several PDUs > breaks the curent CHAP authentication sequence. Consider: > > I->T: CHAP_A=<A1,A2...> > > T->I: CHAP_A=<A> CHAP_I=<I> CHAP_C=<C> > > I->T: CHAP_N=<N> CHAP_R=<R> > OR > I->T: CHAP_N=<N> CHAP_R=<R> CHAP_I=<I> CHAP_C=<C> > > The target does not know how many keys to expect, > so it would not know when the step is complete. Not exactly. As soon as it receives both CHAP_N=<N> and CHAP_R=<R>, regardless of whether it has CHAP_I=<I> or CHAP_C=<C>, the target can immediately authenticate the initiator. If that fails, it can immediately send a Login reject. If that authentication succeeds, then the target sees what it has. If it has both CHAP_I and CHAP_C then it replies with CHAP_N and CHAP_R. If it has only one of CHAP_I and CHAP_C, but not both, it replies with an empty login response and waits for a login request containing the missing CHAP_I or CHAP_C. If it has neither CHAP_I nor CHAP_C, then it looks at the T bit. If the T bit is 1, the initiator is requesting a transition out of security negotiation phase with this pdu, which means it is not intending to send either CHAP_I or CHAP_C in the future. In this case, the target accepts the transition and the security negotiation stage is finished. On the other hand, if the T bit is 0, the initiator MAY (or MAY NOT) intend to send the CHAP_I or CHAP_C in later pdus, so the target replies with a Login response containing no keys, and waits to receive further information from the initiator. Although this seems like a lot of combinatorics, it really isn't, because the end of the security stage is always and only indicated by the initiator sending the T bit = 1 and the target replying with the T bit = 1. Presence or absence of the CHAP keys just cause "step" transitions within the security negotiation stage. I believe the "step" in question is really 2 steps: the step that ends when the target receives CHAP_N and CHAP_R, at which point it completes its initiator authentication, and the step that follows that one, which ends when the target receives the T bit = 1, at which point, if it has received CHAP_I and CHAP_C then it replies with CHAP_N and CHAP_R, and if it has not received CHAP_I and CHAP_C, then it replies with no keys. In both cases, it accepts the transition out of security negotiation by replying with T bit = 1. Bob Russell
Home Last updated: Thu Jan 30 16:19:13 2003 12278 messages in chronological order |