Re: [storm] iSCSI: Authentication mechanism reduction

Julian Satran <julian.satran@gmail.com> Sat, 22 May 2010 08:57 UTC

Return-Path: <julian.satran@gmail.com>
X-Original-To: storm@core3.amsl.com
Delivered-To: storm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EF4D03A6C44 for <storm@core3.amsl.com>; Sat, 22 May 2010 01:57:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.67
X-Spam-Level:
X-Spam-Status: No, score=-1.67 tagged_above=-999 required=5 tests=[AWL=-0.930, BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E5o+7M9Bn22W for <storm@core3.amsl.com>; Sat, 22 May 2010 01:57:54 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id B26043A6C3C for <storm@ietf.org>; Sat, 22 May 2010 01:57:53 -0700 (PDT)
Received: by fxm12 with SMTP id 12so1492042fxm.31 for <storm@ietf.org>; Sat, 22 May 2010 01:57:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=HaFb7h44uFIKYcMoh2UoZtxzxyiTFyUb+192PRyq0JA=; b=t3qbGqdsov6Dgdu0s3pg8Ce5lDEdy1URe4xHC7X5aPySlnPZe7jl4qmrYHCL7mifSV t/r9Lz087/q3oohCuA0k+dqbZJE5l3UyFiAO8YZRTpK+yMdQHGahPIVLSTvfi3IqDJxE VPs1NqrYdn5xeJXTgR1ddvJUBUkq3eKOaT73o=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=FKhR63qikQ++yxhpfeT+1SQBJBL39hTk1kiD6ePowhVm+HO03V6pf0zOD01KK+SQqD TFvonLDaVthDbrrP/hgK19v059iYI3CwMgmxKQD7tAy/qp+98bwzjj0IhpEzRCrqUCt6 vc/qIU4KBlb+9MfL50kypjqNK8GCrk0AXdajs=
Received: by 10.223.64.205 with SMTP id f13mr2378123fai.98.1274518661542; Sat, 22 May 2010 01:57:41 -0700 (PDT)
Received: from julo-mbp.home ([94.159.244.17]) by mx.google.com with ESMTPS id j23sm8648727faa.14.2010.05.22.01.57.38 (version=SSLv3 cipher=RC4-MD5); Sat, 22 May 2010 01:57:40 -0700 (PDT)
Message-ID: <4BF79C81.7020603@gmail.com>
Date: Sat, 22 May 2010 11:57:37 +0300
From: Julian Satran <julian.satran@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.5pre) Gecko/20100430 Thunderbird/3.1b2
MIME-Version: 1.0
To: storm@ietf.org
References: <C2D311A6F086424F99E385949ECFEBCB02A28E2B@CORPUSMX80B.corp.emc.com>
In-Reply-To: <C2D311A6F086424F99E385949ECFEBCB02A28E2B@CORPUSMX80B.corp.emc.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Ofer Biran <biran@il.ibm.com>
Subject: Re: [storm] iSCSI: Authentication mechanism reduction
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 May 2010 08:57:55 -0000

  Hm... Kerberos is widely deployed even if common iSCSI initiators are 
not using it.
Wouldn't it be wiser to "revive" the GSSAPI version and have it replace 
the current wording.
And it is certainly better than to be left with CHAP :-) (as the primary).

Julo


On 22/05/10 04:43, Black_David@emc.com wrote:
> <WG chair hat off>
>
> I'd like to propose removal of a few authentication mechanisms.  RFC 3720 currently specifies five authentication mechanisms:
> 	- Kerberos (KRB5)
> 	- Simple public key (SPKM1 and SPKM2)
> 	- Secure Remote Password (SRP)
> 	- Challenge Handshake (CHAP)
>
> To my knowledge, SPKM1 and SPKM2 have never been implemented and are not in use.  KRB5 has been implemented, but my understanding is that it is not in use, and I understand that the specific iSCSI usage of Kerberos isn't considered be the proverbial "right thing" to do because it's not based on GSSAPI.  There was an Internet-Draft on adding GSSAPI-based Kerberos authentication to iSCSI, but it's long since expired.
>
> So, I would suggest removal of the KRB5, SPKM1 and SPKM2 methods from the iSCSI consolidated draft with suitable reservation of the authentication method names and negotiation key prefixes (KRB_AP_, SPKM_) to prevent future reuse.
>
> Thanks,
> --David
> ----------------------------------------------------
> David L. Black, Distinguished Engineer
> EMC Corporation, 176 South St., Hopkinton, MA  01748
> +1 (508) 293-7953             FAX: +1 (508) 293-7786
> black_david@emc.com        Mobile: +1 (978) 394-7754
> ----------------------------------------------------
>
> _______________________________________________
> storm mailing list
> storm@ietf.org
> https://www.ietf.org/mailman/listinfo/storm