Re: iSCSI: 7.2.1 CHAP Considerations (12-98)

To: Julian Satran <Julian_Satran@il.ibm.com>
Subject: Re: iSCSI: 7.2.1 CHAP Considerations (12-98)
From: Steve Senum <ssenum@cisco.com>
Date: Wed, 12 Jun 2002 17:12:12 -0500
CC: ietf-ips <ips@ece.cmu.edu>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <OF858C9BBC.2DB534C3-ONC2256BD6.0070786F@telaviv.ibm.com>
Sender: owner-ips@ece.cmu.edu

Julian,

I don't see how this helps.  Unless the Target is
directly managing the CHAP secrets, I don't believe
a check on the length of the secret is pratical.

Steve Senum

Julian Satran wrote:
> 
> Steve,
> 
> The text is not explicit about how the secret length gets to iSCSI.
> It can be an administrative interface/action.
> 
> Julo
> 
>   Steve Senum
>   <ssenum@cisco.com>                   To:        Julian
>                                Satran/Haifa/IBM@IBMIL
>   06/12/2002 10:58 PM                  cc:        ietf-ips <ips@ece.cmu.edu>
>   Please respond to Steve Senum        Subject:        Re: iSCSI: 7.2.1 CHAP
>                                Considerations (12-98)
> 
> 
> 
> Julian,
> 
> In the case where an iSCSI Target is authenticating
> an iSCSI Initiator, the Target sends a CHAP
> challenge and identifier, and the Initiator sends
> back a CHAP response and username.
> 
> In the case were the Target is using the RADIUS
> protocol, these four pieces of information are
> sent by the Target to a RADIUS server, which
> simply gives an accept or reject reply.  The target
> never has access to the CHAP secret (which is good),
> hence no check can be made on its length.
> 
> Regards,
> Steve Senum
> 
> Julian Satran wrote:
> >
> > can you elaborate? Julo
> >
> >   Steve Senum <ssenum@cisco.com>
> >   Sent by: owner-ips@ece.cmu.edu         To:        ietf-ips
> >                                  <ips@ece.cmu.edu>
> >   06/12/2002 09:32 PM                    cc:
> >   Please respond to Steve Senum          Subject:        iSCSI: 7.2.1 CHAP
> >                                  Considerations (12-98)
> >
> >
> >
> > I have a concern over the wording of the
> > following text from section 7.2.1 (12-98 version):
> >
> >    When CHAP is used with secret shorter than 96 bits,
> >    a compliant implementation MUST NOT continue with
> >    the login unless it can verify that IPsec encryption
> >    is being used to protect the connection.
> >
> > I know the above is attempt to "put some teeth" into
> > the requirements to make the use of CHAP secure,
> > but I believe there are common cases where the
> > length of the CHAP secret cannot be verified, such
> > as when a RADIUS server is being used.
> >
> > Regards,
> > Steve Senum

References:
- Re: iSCSI: 7.2.1 CHAP Considerations (12-98)
  - From: "Julian Satran" <Julian_Satran@il.ibm.com>

Prev by Date: RE: iSCSI-Asynch event code
Next by Date: Re: iSCSI: 7.2.1 CHAP Considerations (12-98)
Prev by thread: Re: iSCSI: 7.2.1 CHAP Considerations (12-98)
Next by thread: RE: iSCSI: 7.2.1 CHAP Considerations (12-98)
Index(es):
- Date
- Thread

Home

Last updated: Wed Jun 12 18:18:44 2002
10729 messages in chronological order