RE: iSCSI: 7.2.1 CHAP Considerations (12-98)

To: ssenum@cisco.com
Subject: RE: iSCSI: 7.2.1 CHAP Considerations (12-98)
From: Black_David@emc.com
Date: Wed, 12 Jun 2002 19:26:07 -0400
Cc: ips@ece.cmu.edu
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

Yes, my intent was to modify the draft text to include the
"essential condition" described below.  --David

> -----Original Message-----
> From: Steve Senum [mailto:ssenum@cisco.com]
> Sent: Wednesday, June 12, 2002 6:14 PM
> To: Black_David@emc.com
> Cc: ips@ece.cmu.edu
> Subject: Re: iSCSI: 7.2.1 CHAP Considerations (12-98)
> 
> 
> David,
> 
> What you state would be better, but that is
> not what the current text (as of 12-98) says.
> 
> Steve Senum
> 
> Black_David@emc.com wrote:
> > 
> > I think the essential condition here is that the
> > "do not continue if secret is shorter than 96 bits"
> > criteria should apply only to implementations that
> > know and use the secret (i.e., generators of CHAP
> > responses, and recipients of those responses that
> > do their own verification as opposed to outsourcing
> > that verification to something like a RADIUS server).
> > 
> > Thanks,
> > --David
> > ---------------------------------------------------
> > David L. Black, Senior Technologist
> > EMC Corporation, 42 South St., Hopkinton, MA  01748
> > +1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
> > black_david@emc.com         Cell: +1 (978) 394-7754
> > ---------------------------------------------------
> > 
> > > -----Original Message-----
> > > From: Steve Senum [mailto:ssenum@cisco.com]
> > > Sent: Wednesday, June 12, 2002 3:58 PM
> > > To: Julian Satran
> > > Cc: ietf-ips
> > > Subject: Re: iSCSI: 7.2.1 CHAP Considerations (12-98)
> > >
> > >
> > > Julian,
> > >
> > > In the case where an iSCSI Target is authenticating
> > > an iSCSI Initiator, the Target sends a CHAP
> > > challenge and identifier, and the Initiator sends
> > > back a CHAP response and username.
> > >
> > > In the case were the Target is using the RADIUS
> > > protocol, these four pieces of information are
> > > sent by the Target to a RADIUS server, which
> > > simply gives an accept or reject reply.  The target
> > > never has access to the CHAP secret (which is good),
> > > hence no check can be made on its length.
> > >
> > > Regards,
> > > Steve Senum
> > >
> > > Julian Satran wrote:
> > > >
> > > > can you elaborate? Julo
> > > >
> > > >   Steve Senum <ssenum@cisco.com>
> > > >   Sent by: owner-ips@ece.cmu.edu         To:        ietf-ips
> > > >                                  <ips@ece.cmu.edu>
> > > >   06/12/2002 09:32 PM                    cc:
> > > >   Please respond to Steve Senum          Subject:
> > > iSCSI: 7.2.1 CHAP
> > > >                                  Considerations (12-98)
> > > >
> > > >
> > > >
> > > > I have a concern over the wording of the
> > > > following text from section 7.2.1 (12-98 version):
> > > >
> > > >    When CHAP is used with secret shorter than 96 bits,
> > > >    a compliant implementation MUST NOT continue with
> > > >    the login unless it can verify that IPsec encryption
> > > >    is being used to protect the connection.
> > > >
> > > > I know the above is attempt to "put some teeth" into
> > > > the requirements to make the use of CHAP secure,
> > > > but I believe there are common cases where the
> > > > length of the CHAP secret cannot be verified, such
> > > > as when a RADIUS server is being used.
> > > >
> > > > Regards,
> > > > Steve Senum
> > >
>

Prev by Date: Re: base64 byte-length formula
Next by Date: Re: base64 byte-length formula
Prev by thread: Re: iSCSI: 7.2.1 CHAP Considerations (12-98)
Next by thread: RE: iSCSI: 7.2.1 CHAP Considerations (12-98)
Index(es):
- Date
- Thread

Home

Last updated: Thu Jun 13 05:19:11 2002
10748 messages in chronological order