Re: Auth method negotiation

[Chirag Wighe <chirag.wighe@windriver.com>]

Hi

I am sorry for the typo but I cut and paste from the spec. In the spec on 
page 245 for example it says
If the initiator authentication is successful, the target proceeds:
T- Login (CSG,NSG=0,1 T=1)
I- Login (CSG,NSG=1,0 T=0)
... iSCSI parameters
T- Login (CSG,NSG=1,0 T=0)
... iSCSI parameters

I did a search and there are several other 1,0 transitions in the spec.

Anyway what I meant was what Bill intepreted it to be which was
Login (CSG,NSG=0,1 T=1)
InitiatorName=iqn.1999-07.com.os.hostid.77
TargetName=iqn.1999-07.com.acme.diskarray.sn.88
AuthMethod=KRB5,SRP,CHAP,None

and the target replying
T- Login-PR (CSG,NSG=0,1 T=1)
AuthMethod=CHAP

and then my other questions hopefully make more sense.

Thanks
Chirag





At 01:14 PM 6/21/02, Bill Studenmund wrote:
>On Fri, 21 Jun 2002, Chirag Wighe wrote:
>
> > Hi
> >
> > In section 10.4 in Draft v13 it says
> > "The AuthMethod selection is followed by an "authentication exchange"
> > specific to the authentication method selected. "
> > Should the "is" be replaced by a "MUST" for any AuthMethod selection other
> > than "None"?
>
>Probably, though we could eliminate the "None" bit as there is no
>authentication exchange for "None."
>
> > As an example closely related to one in the Appendix.
> > If the login begins as
> >
> > I- Login (CSG,NSG=0,1 T=1)
> > InitiatorName=iqn.1999-07.com.os.hostid.77
> > TargetName=iqn.1999-07.com.acme.diskarray.sn.88
> > AuthMethod=KRB5,SRP,CHAP,None
> >
> > And the target chooses CHAP.
> > One question that I have is whether choosing CHAP implies the statement in
> > section 4.3
> > "Targets MUST NOT submit parameters that require an additional initiator
> > login request in a login response with the T bit set to 1."
> > So if the target chooses CHAP,  does it imply that it expects a CHAP_A
> > response and is not permitted to set the T bit to one even if the target is
> > not interested in authenticating the initiator.
> > So is the following reply illegal?
> > T- Login-PR (CSG,NSG=1,0 T=1)
> > AuthMethod=CHAP
>
>Note: you had CSG=0 in the request, but you had CSG=1 in the reply. Yes,
>it's illegal. :-)
>
> > If the above is not illegal, then if the initiator is also not interested
> > in authenticating the target, can the initiator transition to the next 
> stage.
>
>I'm not sure, but I think so. If the response were CSG,NSG=0,1, then I
>think that's fine. Note that the initiator set the T bit, indicating it
>isn't interested in the target authenticating itself.  If the target also
>doesn't care about authentication, then the target knows they both don't
>want to authenticate. Thus it's safe to transition.
>
> > I realize that the above problem might only be a syntactic one as the
> > proper ordering of Auth Methods in the requests sent by the initiator not
> > interested in Authentication would be for None to precede other options and
> > the target will then choose None if it is also not interested in
> > authentication either.
>
>Hmmm...
>
>I'm not sure. What does everyone else think? If the T bits indicate that
>both sides are fine with skipping authentication, does AuthMethods matter?
>
>Take care,
>
>Bill