Re: [storm] iSCSI: Authentication mechanism reduction

<david.black@emc.com> Wed, 23 June 2010 20:12 UTC

Return-Path: <david.black@emc.com>
X-Original-To: storm@core3.amsl.com
Delivered-To: storm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 71C7C28C16E for <storm@core3.amsl.com>; Wed, 23 Jun 2010 13:12:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.696
X-Spam-Level:
X-Spam-Status: No, score=-4.696 tagged_above=-999 required=5 tests=[AWL=-0.697, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gy85pMiLrQ0m for <storm@core3.amsl.com>; Wed, 23 Jun 2010 13:12:55 -0700 (PDT)
Received: from mexforward.lss.emc.com (mexforward.lss.emc.com [128.222.32.20]) by core3.amsl.com (Postfix) with ESMTP id 96A5228C105 for <storm@ietf.org>; Wed, 23 Jun 2010 13:12:53 -0700 (PDT)
Received: from hop04-l1d11-si04.isus.emc.com (HOP04-L1D11-SI04.isus.emc.com [10.254.111.24]) by mexforward.lss.emc.com (Switch-3.3.2/Switch-3.1.7) with ESMTP id o5NKD0xi008206 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <storm@ietf.org>; Wed, 23 Jun 2010 16:13:00 -0400
Received: from mailhub.lss.emc.com (numailhub.lss.emc.com [10.254.144.16]) by hop04-l1d11-si04.isus.emc.com (RSA Interceptor) for <storm@ietf.org>; Wed, 23 Jun 2010 16:12:49 -0400
Received: from corpussmtp5.corp.emc.com (corpussmtp5.corp.emc.com [128.221.166.229]) by mailhub.lss.emc.com (Switch-3.4.2/Switch-3.3.2mp) with ESMTP id o5NKCnhf029962 for <storm@ietf.org>; Wed, 23 Jun 2010 16:12:49 -0400
Received: from CORPUSMX80B.corp.emc.com ([10.254.89.203]) by corpussmtp5.corp.emc.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 23 Jun 2010 16:12:49 -0400
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 23 Jun 2010 16:12:48 -0400
Message-ID: <C2D311A6F086424F99E385949ECFEBCB02ED59D7@CORPUSMX80B.corp.emc.com>
In-Reply-To: <4BF8A5BB.6030901@gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [storm] iSCSI: Authentication mechanism reduction
Thread-Index: Acr6PflmFQ/AuR57TES4pC5972yEJQY0Scpg
References: <C2D311A6F086424F99E385949ECFEBCB02A28E2B@CORPUSMX80B.corp.emc.com><4BF79C81.7020603@gmail.com><D8CEBB6AE9D43848BD2220619A43F3265BD608@M31.equallogic.com> <4BF8A5BB.6030901@gmail.com>
From: <david.black@emc.com>
To: <storm@ietf.org>
X-OriginalArrivalTime: 23 Jun 2010 20:12:49.0430 (UTC) FILETIME=[73DA9360:01CB1310]
X-EMM-EM: Active
Subject: Re: [storm] iSCSI: Authentication mechanism reduction
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jun 2010 20:12:57 -0000

Reviewing this thread, I believe I see consensus (actual consensus, not
just rough) for removing SPKM1 and SPKM2.  It will be necessary to
instruct IANA to mark the SPKM_ text key prefix as obsolete and not to
be reused as part of removing these mechanisms.

For now, KRB5 and SRP need to stay in the combined iSCSI draft.

Thanks,
--David


> -----Original Message-----
> From: storm-bounces@ietf.org [mailto:storm-bounces@ietf.org] On Behalf
Of Julian Satran
> Sent: Saturday, May 22, 2010 11:49 PM
> To: Paul Koning
> Cc: Ofer Biran; storm@ietf.org
> Subject: Re: [storm] iSCSI: Authentication mechanism reduction
> 
> 
>   Paul,
> 
> There where patent concerns (none confirmed!) but SRP by far the
authors
> preference (simplest, secure)
> and it would be a mistake to take it out. Enough to have it optional
> :-). At least we have an interoperable description.
> 
> Julo
> 
> On 22/05/10 19:17, Paul Koning wrote:
> > I agree about keeping Kerberos.
> >
> > If we're looking at pulling out stuff, how about yanking SRP?  In
spite
> > of its arguable technical superiority I believe patent concerns
have,
> > and will, keep it from being used.
> >
> > 	paul
> >
> >> -----Original Message-----
> >> From: storm-bounces@ietf.org [mailto:storm-bounces@ietf.org] On
Behalf
> >> Of Julian Satran
> >> Sent: Saturday, May 22, 2010 4:58 AM
> >> To: storm@ietf.org
> >> Cc: Ofer Biran
> >> Subject: Re: [storm] iSCSI: Authentication mechanism reduction
> >>
> >>
> >>    Hm... Kerberos is widely deployed even if common iSCSI
initiators
> > are
> >> not using it.
> >> Wouldn't it be wiser to "revive" the GSSAPI version and have it
> > replace
> >> the current wording.
> >> And it is certainly better than to be left with CHAP :-) (as the
> >> primary).
> >>
> >> Julo
> >>
> >>
> >> On 22/05/10 04:43, Black_David@emc.com wrote:
> >>> <WG chair hat off>
> >>>
> >>> I'd like to propose removal of a few authentication mechanisms.
RFC
> >> 3720 currently specifies five authentication mechanisms:
> >>> 	- Kerberos (KRB5)
> >>> 	- Simple public key (SPKM1 and SPKM2)
> >>> 	- Secure Remote Password (SRP)
> >>> 	- Challenge Handshake (CHAP)
> >>>
> >>> To my knowledge, SPKM1 and SPKM2 have never been implemented and
are
> >> not in use.  KRB5 has been implemented, but my understanding is
that
> > it
> >> is not in use, and I understand that the specific iSCSI usage of
> >> Kerberos isn't considered be the proverbial "right thing" to do
> > because
> >> it's not based on GSSAPI.  There was an Internet-Draft on adding
> >> GSSAPI-based Kerberos authentication to iSCSI, but it's long since
> >> expired.
> >>> So, I would suggest removal of the KRB5, SPKM1 and SPKM2 methods
> > from
> >> the iSCSI consolidated draft with suitable reservation of the
> >> authentication method names and negotiation key prefixes (KRB_AP_,
> >> SPKM_) to prevent future reuse.
> >>> Thanks,
> >>> --David
> >>> ----------------------------------------------------
> >>> David L. Black, Distinguished Engineer
> >>> EMC Corporation, 176 South St., Hopkinton, MA  01748
> >>> +1 (508) 293-7953             FAX: +1 (508) 293-7786
> >>> black_david@emc.com        Mobile: +1 (978) 394-7754
> >>> ----------------------------------------------------
> >>>
> >>> _______________________________________________
> >>> storm mailing list
> >>> storm@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/storm
> >> _______________________________________________
> >> storm mailing list
> >> storm@ietf.org
> >> https://www.ietf.org/mailman/listinfo/storm
> 
> _______________________________________________
> storm mailing list
> storm@ietf.org
> https://www.ietf.org/mailman/listinfo/storm