[storm] iSCSI: Authentication mechanism reduction

<Black_David@emc.com> Sat, 22 May 2010 01:44 UTC

Return-Path: <Black_David@emc.com>
X-Original-To: storm@core3.amsl.com
Delivered-To: storm@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 0D9BE3A6A3A for <storm@core3.amsl.com>; Fri, 21 May 2010 18:44:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.999
X-Spam-Status: No, score=-3.999 tagged_above=-999 required=5 tests=[BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id PC082zavEUok for <storm@core3.amsl.com>; Fri, 21 May 2010 18:44:40 -0700 (PDT)
Received: from mexforward.lss.emc.com (mexforward.lss.emc.com []) by core3.amsl.com (Postfix) with ESMTP id 174123A69EC for <storm@ietf.org>; Fri, 21 May 2010 18:44:39 -0700 (PDT)
Received: from hop04-l1d11-si02.isus.emc.com (HOP04-L1D11-SI02.isus.emc.com []) by mexforward.lss.emc.com (Switch-3.3.2/Switch-3.1.7) with ESMTP id o4M1iWxR026821 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <storm@ietf.org>; Fri, 21 May 2010 21:44:32 -0400
Received: from mailhub.lss.emc.com (nagas.lss.emc.com []) by hop04-l1d11-si02.isus.emc.com (RSA Interceptor) for <storm@ietf.org>; Fri, 21 May 2010 21:44:22 -0400
Received: from corpussmtp5.corp.emc.com (corpussmtp5.corp.emc.com []) by mailhub.lss.emc.com (Switch-3.4.2/Switch-3.3.2mp) with ESMTP id o4M1axO7015662 for <storm@ietf.org>; Fri, 21 May 2010 21:44:21 -0400
Received: from CORPUSMX80B.corp.emc.com ([]) by corpussmtp5.corp.emc.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 21 May 2010 21:43:26 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 21 May 2010 21:43:25 -0400
Message-ID: <C2D311A6F086424F99E385949ECFEBCB02A28E2B@CORPUSMX80B.corp.emc.com>
Thread-Topic: iSCSI: Authentication mechanism reduction
thread-index: Acr5UCt6tbCqgnNCTymEpgoSLvO6UQ==
From: <Black_David@emc.com>
To: <storm@ietf.org>
X-OriginalArrivalTime: 22 May 2010 01:43:26.0486 (UTC) FILETIME=[2C075B60:01CAF950]
X-EMM-EM: Active
Cc: Black_David@emc.com
Subject: [storm] iSCSI: Authentication mechanism reduction
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 May 2010 01:44:41 -0000

<WG chair hat off>

I'd like to propose removal of a few authentication mechanisms.  RFC 3720 currently specifies five authentication mechanisms:
	- Kerberos (KRB5)
	- Simple public key (SPKM1 and SPKM2)
	- Secure Remote Password (SRP)
	- Challenge Handshake (CHAP)

To my knowledge, SPKM1 and SPKM2 have never been implemented and are not in use.  KRB5 has been implemented, but my understanding is that it is not in use, and I understand that the specific iSCSI usage of Kerberos isn't considered be the proverbial "right thing" to do because it's not based on GSSAPI.  There was an Internet-Draft on adding GSSAPI-based Kerberos authentication to iSCSI, but it's long since expired.

So, I would suggest removal of the KRB5, SPKM1 and SPKM2 methods from the iSCSI consolidated draft with suitable reservation of the authentication method names and negotiation key prefixes (KRB_AP_, SPKM_) to prevent future reuse.

David L. Black, Distinguished Engineer
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953             FAX: +1 (508) 293-7786
black_david@emc.com        Mobile: +1 (978) 394-7754