Re: iSCSI: U=<user> in Authentication

To: ietf-ips <ips@ece.cmu.edu>
Subject: Re: iSCSI: U=<user> in Authentication
From: Steve Senum <ssenum@cisco.com>
Date: Wed, 19 Sep 2001 17:27:08 -0500
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <499DC368E25AD411B3F100902740AD6507779045@xrose03.rose.hp.com>
Sender: owner-ips@ece.cmu.edu

I don't think it should be possible to omit
the usernames for AuthMethods SRP and CHAP.

On the SRP and CHAP key names, I am mostly netural,
though I would prefer ChapId instead of ChapID.
Since they are AuthMethod specific though, I don't
really see the need to change them.

Steve Senum

"CONGDON,PAUL (HP-Roseville,ex1)" wrote:
> 
> I agree that more clarification regarding how to associate SCSI Names with
> user identities should be provided.  I'm not sure if I agree that it should
> be possible to omit the names entirely - however.  This would provide
> another optional way to approach the exchange (may provide or may not) which
> adds complexity to this portion of the code, more test cases, more
> unnecessary options, etc..  As you've mentioned it may also be different
> depending upon the authentication method in use. There is certainly room for
> improvement here.
> 
> I have a bit of a gripe about the key=value pairs during authentication
> phase in general.  First of all, the key names are not very descriptive,
> which defeats the purpose of using Text keys in the first place (in my
> opinion).  Secondly and more importantly, there are key values that are not
> unique and depend upon what authentication method is in progress in order to
> decode/parse them.  For example, A=5 in CHAP for algorithm selection is
> completely different that A=2345 in SRP.  Also N=initiatorName in CHAP is
> totally different than N=5678 in SRP.   It would be much easier if the text
> command parser didn't have to consider what authentication method was
> running and that all key values were unique.  Thus I propose making the
> following name changes to CHAP and SRP key values.  I'm not too concerned
> about the exact key names used, just that they are somewhat descriptive and
> unique.
> 
> CHAP Key Values
> 
> Old         New
> ---         --------
> A           ChapAlgorithm
> I           ChapID
> N           ChapUser
> C           ChapChallenge
> R           ChapResponse
> 
> SRP Key Values
> 
> Old             New
> ---             ---
> U               SrpUser
> N               SrpSafePrime
> g               SrpGenerator
> s               SrpSalt
> A               SrpPubKeyA
> B               SrpPubKeyB
> M               SrpSessionKey
> HM              SrpKeyProof
> 
> Paul
> 
> +------------------------------------------+
> Paul Congdon
> HP ProCurve Networking
> Hewlett Packard Company
> 8000 Foothills Blvd - M/S 5662
> Roseville, CA   95747
> phone: 916-785-5753
> email: paul_congdon@hp.com
> +------------------------------------------+
> 
> -----Original Message-----
> From: John Hufferd [mailto:hufferd@us.ibm.com]
> Sent: Tuesday, September 18, 2001 6:22 PM
> To: Julian Satran; Ofer_Biran/Haifa/IBM%IBMUS; mbakke@cisco.com;
> jtseng@NishanSystems.com
> Cc: ips@ece.cmu.edu
> Subject: iSCSI: U=<user> in Authentication
> 
> Folks,
> I think we should indicate in the Security section of the document how the
> security Authentication process might validate that the iSCSI Initiator
> Name sent in the Initial Login, has something approprate to do with the
> "user" being authenticated.  (Otherwise, you could authenticate a user and
> that user could claim/use any iSCSI Initiator Name in the InitiatorName
> key=value pair.
> 
> It is kind of obvious how to relate the U=<user> to the approprate iSCSI
> Initiator Name (in the case of SRP), and little less obvious with Chap,
> though I think it would be the N=<N> parameter.  However, it is really not
> obvious when using Kerberos, and SPKM.
> 
> It also should be possible for the initiator not to send another UserID, if
> the Security Data Base the customer uses can support the iSCSI Initiator
> Name as a UserID.  That is, it should be possible for the U=<user>
> parameter not to be sent,and have that  imply  the value of <user> is the
> iSCSI Initiator Node Name entered previously as a value in the InitiaorName
> key=value pair. Same way with the N=<N> in Chap.
> 
> However, it is not clear, how you do similar things with Kerberos, and
> SPKM.
> 
> What do you folks think about this, and how should we document it?
> 
> .
> .
> .
> John L. Hufferd
> Senior Technical Staff Member (STSM)
> IBM/SSG San Jose Ca
> Main Office (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
> Home Office (408) 997-6136
> Internet address: hufferd@us.ibm.com

References:
- RE: iSCSI: U=<user> in Authentication
  - From: "CONGDON,PAUL (HP-Roseville,ex1)" <paul_congdon@hp.com>

Prev by Date: Re: iSCSI - long key values
Next by Date: RE: iSCSI - long key values
Prev by thread: RE: iSCSI: U=<user> in Authentication
Next by thread: Re: iSCSI: U=<user> in Authentication
Index(es):
- Date
- Thread

Home

Last updated: Thu Sep 20 08:17:21 2001
6621 messages in chronological order