Re: iSCSI: 7.2.1 CHAP Considerations (12-98)

["Julian Satran" <Julian_Satran@il.ibm.com>]

Steve,

The text is not explicit about how the secret length gets to iSCSI.
It can be an administrative interface/action.

Julo

Steve Senum <ssenum@cisco.com> 06/12/2002 10:58 PM Please respond to Steve Senum

To:        Julian Satran/Haifa/IBM@IBMIL         cc:        ietf-ips <ips@ece.cmu.edu>         Subject:        Re: iSCSI: 7.2.1 CHAP Considerations (12-98)

Julian,

In the case where an iSCSI Target is authenticating
an iSCSI Initiator, the Target sends a CHAP
challenge and identifier, and the Initiator sends
back a CHAP response and username.

In the case were the Target is using the RADIUS
protocol, these four pieces of information are
sent by the Target to a RADIUS server, which
simply gives an accept or reject reply.  The target
never has access to the CHAP secret (which is good),
hence no check can be made on its length.

Regards,
Steve Senum

Julian Satran wrote:
> 
> can you elaborate? Julo
> 
>   Steve Senum <ssenum@cisco.com>
>   Sent by: owner-ips@ece.cmu.edu         To:        ietf-ips
>                                  <ips@ece.cmu.edu>
>   06/12/2002 09:32 PM                    cc:
>   Please respond to Steve Senum          Subject:        iSCSI: 7.2.1 CHAP
>                                  Considerations (12-98)
> 
> 
> 
> I have a concern over the wording of the
> following text from section 7.2.1 (12-98 version):
> 
>    When CHAP is used with secret shorter than 96 bits,
>    a compliant implementation MUST NOT continue with
>    the login unless it can verify that IPsec encryption
>    is being used to protect the connection.
> 
> I know the above is attempt to "put some teeth" into
> the requirements to make the use of CHAP secure,
> but I believe there are common cases where the
> length of the CHAP secret cannot be verified, such
> as when a RADIUS server is being used.
> 
> Regards,
> Steve Senum