Re: [storm] iSCSI: Authentication mechanism reduction

"Paul Koning" <Paul_Koning@Dell.com> Sat, 22 May 2010 16:17 UTC

Return-Path: <Paul_Koning@Dell.com>
X-Original-To: storm@core3.amsl.com
Delivered-To: storm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4E8963A6B0A for <storm@core3.amsl.com>; Sat, 22 May 2010 09:17:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.999
X-Spam-Level:
X-Spam-Status: No, score=-103.999 tagged_above=-999 required=5 tests=[BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k2Y31thU5Zv4 for <storm@core3.amsl.com>; Sat, 22 May 2010 09:17:53 -0700 (PDT)
Received: from aussmtpmrkpc120.us.dell.com (aussmtpmrkpc120.us.dell.com [143.166.82.159]) by core3.amsl.com (Postfix) with ESMTP id 2F4493A6D46 for <storm@ietf.org>; Sat, 22 May 2010 09:17:51 -0700 (PDT)
X-Loopcount0: from 12.110.134.31
X-IronPort-AV: E=Sophos;i="4.53,283,1272862800"; d="scan'208";a="421414761"
Received: from unknown (HELO M31.equallogic.com) ([12.110.134.31]) by aussmtpmrkpc120.us.dell.com with SMTP; 22 May 2010 11:17:25 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Sat, 22 May 2010 12:17:22 -0400
Message-ID: <D8CEBB6AE9D43848BD2220619A43F3265BD608@M31.equallogic.com>
In-Reply-To: <4BF79C81.7020603@gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [storm] iSCSI: Authentication mechanism reduction
Thread-Index: Acr5nx+0WuIkhmBmRoSN9nppjyDSCwAKu1Rw
References: <C2D311A6F086424F99E385949ECFEBCB02A28E2B@CORPUSMX80B.corp.emc.com> <4BF79C81.7020603@gmail.com>
From: "Paul Koning" <Paul_Koning@Dell.com>
To: "Julian Satran" <julian.satran@gmail.com>, <storm@ietf.org>
Cc: Ofer Biran <biran@il.ibm.com>
Subject: Re: [storm] iSCSI: Authentication mechanism reduction
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 May 2010 16:17:54 -0000

I agree about keeping Kerberos.

If we're looking at pulling out stuff, how about yanking SRP?  In spite
of its arguable technical superiority I believe patent concerns have,
and will, keep it from being used.

	paul

> -----Original Message-----
> From: storm-bounces@ietf.org [mailto:storm-bounces@ietf.org] On Behalf
> Of Julian Satran
> Sent: Saturday, May 22, 2010 4:58 AM
> To: storm@ietf.org
> Cc: Ofer Biran
> Subject: Re: [storm] iSCSI: Authentication mechanism reduction
> 
> 
>   Hm... Kerberos is widely deployed even if common iSCSI initiators
are
> not using it.
> Wouldn't it be wiser to "revive" the GSSAPI version and have it
replace
> the current wording.
> And it is certainly better than to be left with CHAP :-) (as the
> primary).
> 
> Julo
> 
> 
> On 22/05/10 04:43, Black_David@emc.com wrote:
> > <WG chair hat off>
> >
> > I'd like to propose removal of a few authentication mechanisms.  RFC
> 3720 currently specifies five authentication mechanisms:
> > 	- Kerberos (KRB5)
> > 	- Simple public key (SPKM1 and SPKM2)
> > 	- Secure Remote Password (SRP)
> > 	- Challenge Handshake (CHAP)
> >
> > To my knowledge, SPKM1 and SPKM2 have never been implemented and are
> not in use.  KRB5 has been implemented, but my understanding is that
it
> is not in use, and I understand that the specific iSCSI usage of
> Kerberos isn't considered be the proverbial "right thing" to do
because
> it's not based on GSSAPI.  There was an Internet-Draft on adding
> GSSAPI-based Kerberos authentication to iSCSI, but it's long since
> expired.
> >
> > So, I would suggest removal of the KRB5, SPKM1 and SPKM2 methods
from
> the iSCSI consolidated draft with suitable reservation of the
> authentication method names and negotiation key prefixes (KRB_AP_,
> SPKM_) to prevent future reuse.
> >
> > Thanks,
> > --David
> > ----------------------------------------------------
> > David L. Black, Distinguished Engineer
> > EMC Corporation, 176 South St., Hopkinton, MA  01748
> > +1 (508) 293-7953             FAX: +1 (508) 293-7786
> > black_david@emc.com        Mobile: +1 (978) 394-7754
> > ----------------------------------------------------
> >
> > _______________________________________________
> > storm mailing list
> > storm@ietf.org
> > https://www.ietf.org/mailman/listinfo/storm
> 
> _______________________________________________
> storm mailing list
> storm@ietf.org
> https://www.ietf.org/mailman/listinfo/storm