RE: iSCSI: 7.2.1 CHAP Considerations (12-98)

To: ssenum@cisco.com
Subject: RE: iSCSI: 7.2.1 CHAP Considerations (12-98)
From: Black_David@emc.com
Date: Wed, 12 Jun 2002 16:47:11 -0400
Cc: ips@ece.cmu.edu
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

I think the essential condition here is that the
"do not continue if secret is shorter than 96 bits"
criteria should apply only to implementations that
know and use the secret (i.e., generators of CHAP
responses, and recipients of those responses that
do their own verification as opposed to outsourcing
that verification to something like a RADIUS server).

Thanks,
--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
black_david@emc.com         Cell: +1 (978) 394-7754
---------------------------------------------------

> -----Original Message-----
> From: Steve Senum [mailto:ssenum@cisco.com]
> Sent: Wednesday, June 12, 2002 3:58 PM
> To: Julian Satran
> Cc: ietf-ips
> Subject: Re: iSCSI: 7.2.1 CHAP Considerations (12-98)
> 
> 
> Julian,
> 
> In the case where an iSCSI Target is authenticating
> an iSCSI Initiator, the Target sends a CHAP
> challenge and identifier, and the Initiator sends
> back a CHAP response and username.
> 
> In the case were the Target is using the RADIUS
> protocol, these four pieces of information are
> sent by the Target to a RADIUS server, which
> simply gives an accept or reject reply.  The target
> never has access to the CHAP secret (which is good),
> hence no check can be made on its length.
> 
> Regards,
> Steve Senum
> 
> Julian Satran wrote:
> > 
> > can you elaborate? Julo
> > 
> >   Steve Senum <ssenum@cisco.com>
> >   Sent by: owner-ips@ece.cmu.edu         To:        ietf-ips
> >                                  <ips@ece.cmu.edu>
> >   06/12/2002 09:32 PM                    cc:
> >   Please respond to Steve Senum          Subject:        
> iSCSI: 7.2.1 CHAP
> >                                  Considerations (12-98)
> > 
> > 
> > 
> > I have a concern over the wording of the
> > following text from section 7.2.1 (12-98 version):
> > 
> >    When CHAP is used with secret shorter than 96 bits,
> >    a compliant implementation MUST NOT continue with
> >    the login unless it can verify that IPsec encryption
> >    is being used to protect the connection.
> > 
> > I know the above is attempt to "put some teeth" into
> > the requirements to make the use of CHAP secure,
> > but I believe there are common cases where the
> > length of the CHAP secret cannot be verified, such
> > as when a RADIUS server is being used.
> > 
> > Regards,
> > Steve Senum
>

Follow-Ups:
- Re: iSCSI: 7.2.1 CHAP Considerations (12-98)
  - From: Steve Senum <ssenum@cisco.com>

Prev by Date: Re: iSCSI-Asynch event code
Next by Date: RE: iSCSI: CRC description
Prev by thread: Re: iSCSI: 7.2.1 CHAP Considerations (12-98)
Next by thread: Re: iSCSI: 7.2.1 CHAP Considerations (12-98)
Index(es):
- Date
- Thread

Home

Last updated: Wed Jun 12 18:18:45 2002
10729 messages in chronological order