Re: does iSCSI support CHAP challenges at random intervals?

["Julian Satran" <Julian_Satran@il.ibm.com>]

No - reauthentication was not considered.  Julo

"Dean Scoville" <dean.scoville@qlogic.com> Sent by: owner-ips@ece.cmu.edu 28/08/02 19:56

To:        <ips@ece.cmu.edu>         cc:                 Subject:        does iSCSI support CHAP challenges at random intervals?

The CHAP RFC (RFC 1994) allows the authenticator to send a new challenge to the peer at random intervals. I don't see any mention of this in the IPS Security document or the iSCSI Draft. In the iSCSI Draft, the CHAP keys are discussed in section 10 with regard to the Security Stage of Login, but are not mentioned in full feature phase.  As far as iSCSI is concerned, is CHAP authentication a one-time occurance during login, or are new challenges also allowed/expected at random intervals during the life of the connection? If re-authentication is allowed, then an example would be helpful in the text (target initiates authentication via async msg requesting parameter negotiation, then issues CHAP_I CHAP_C challenge in response to empty text request pdu; or initiator initiates authentication via text request containing CHAP_A key, etc...). If it is not allowed, perhaps we should explicitly state this in the iSCSI draft and/or IPS Security !
document, since it is a difference betwee!
n iSCSI usage of CHAP and that allowed by the RFC.
thanks,
Dean Scoville
QLogic