Re: [storm] [kitten] Kerberos Considerations for iSCSI Authentication
"Black, David" <david.black@emc.com> Thu, 30 May 2013 00:18 UTC
Return-Path: <david.black@emc.com>
X-Original-To: storm@ietfa.amsl.com
Delivered-To: storm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54C2A21F955C; Wed, 29 May 2013 17:18:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PBOjMeDLdagf; Wed, 29 May 2013 17:18:53 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 4862E21F949D; Wed, 29 May 2013 17:18:53 -0700 (PDT)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r4U0IhMx008012 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 29 May 2013 20:18:49 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd06.lss.emc.com [10.254.222.130]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Wed, 29 May 2013 20:18:34 -0400
Received: from mxhub21.corp.emc.com (mxhub21.corp.emc.com [128.222.70.133]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r4U0IX1V029834; Wed, 29 May 2013 20:18:34 -0400
Received: from mx15a.corp.emc.com ([169.254.1.184]) by mxhub21.corp.emc.com ([128.222.70.133]) with mapi; Wed, 29 May 2013 20:18:33 -0400
From: "Black, David" <david.black@emc.com>
To: Nico Williams <nico@cryptonector.com>
Date: Wed, 29 May 2013 20:18:33 -0400
Thread-Topic: [kitten] Kerberos Considerations for iSCSI Authentication
Thread-Index: Ac5cqXI/5wO30C/LRfeOZY+V+aHxvgAIIP7Q
Message-ID: <8D3D17ACE214DC429325B2B98F3AE71296A3C7C2@MX15A.corp.emc.com>
References: <8D3D17ACE214DC429325B2B98F3AE71296A3C67D@MX15A.corp.emc.com> <CAK3OfOhSHT=2H1PwUr62t0UrnMFLHh17znfTsB_RuoVMRF6EcQ@mail.gmail.com>
In-Reply-To: <CAK3OfOhSHT=2H1PwUr62t0UrnMFLHh17znfTsB_RuoVMRF6EcQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EMM-MHVC: 1
Cc: "kitten@ietf.org" <kitten@ietf.org>, "storm@ietf.org" <storm@ietf.org>
Subject: Re: [storm] [kitten] Kerberos Considerations for iSCSI Authentication
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 00:18:59 -0000
Nico, Thank you for the prompt and useful review. Comments inline ... Thanks, --David > -----Original Message----- > From: Nico Williams [mailto:nico@cryptonector.com] > Sent: Wednesday, May 29, 2013 4:16 PM > To: Black, David > Cc: kitten@ietf.org; storm@ietf.org > Subject: Re: [kitten] Kerberos Considerations for iSCSI Authentication > > On Wed, May 29, 2013 at 9:43 AM, Black, David <david.black@emc.com> wrote: > > I do want to head off one area of comments - please send any "you > > should use GSS-API" comments to /dev/null. iSCSI was specified to use > > Kerberos w/o GSS-API a long time ago, so GSS-API for iSCSI would be a > > new iSCSI authentication mechanism that should be in a separate draft, > > as opposed to this update (which is already long enough). > > Other comments to head off: > > - Kerberos <-> IPsec binding? never mind; we failed to get uptake on RFC5660. I'm afraid so ... sorry. > > ------------------ > > > > 9.2.3 Kerberos Considerations for iSCSI Authentication > > > > iSCSI uses Kerberos via "bare" tokens - i.e. does not use GSS-API > ([RFC4121]) - > > for authenticating the two Kerberos principals during the iSCSI Login > process. > > s/tokens/PDUs/ (and define the term: Protocol Data Unit). Or better: > > NEW: > iSCSI uses raw Kerberos V5 [RFC4120] for authenticating a client > (iSCSI initiator) principal to a service (iSCSI target) principal. > Note that iSCSI does not use the Generic Security Services Application > Programming Interface (GSS-API) [RFC2743] nor the Kerberos V5 GSS-API > security mechanism [RFC4121]. +1 on the new text - we'll take it. > > This implies that iSCSI implementations supporting the KRB5 AuthMethod > > (Section 12.1) are directly involved in the Kerberos protocol. Specifically, > > the following actions MUST be performed as specified in [RFC4120]: > > The first sentence of the above para says nothing to me :( Remove it? > Sure. > > - Target MUST validate the KRB_AP_REQ to ensure that the > > initiator can be trusted > > - When mutual authentication is selected, the initiator > > MUST validate KRB_AP_REP > > to determine the outcome of mutual authentication > > Yes. (Assuming there's text elsewhere saying that these PDUs have to > be sent and received in order to validate them :) Yes, there is, and we'll double-check. > > As Kerberos V5 is capable of providing mutual authentication, implementations > > SHOULD support mutual authentication by default for login authentication. > > Is there a reason not to make this a MUST? Yes, a lot of deployed iSCSI authentication is one-way - initiators (host) authenticate to targets (storage), but not vice-versa; forcing defaults to never match common usage has some analogies to trying to teach a pig to sing ... one gets no music and only succeeds in annoying the pig :-). > > Note however that Kerberos authentication only assures that the server > > (iSCSI target) can be trusted by the Kerberos client (initiator) and > > vice-versa; an initiator should employ appropriately secured service > > discovery techniques (e.g. iSNS, Section 4.2.7) to ensure that it is > > talking to the intended target principal. > > Some text somewhere should note that Kerberos is not used to provide > integrity nor confidentiality protection to the iSCSI protocol (and > that only IPsec does, and so on). Sure, good suggestion, we'll add a sentence to that effect. > > Nico > --
- [storm] Kerberos Considerations for iSCSI Authent… Black, David
- Re: [storm] [kitten] Kerberos Considerations for … Black, David
- Re: [storm] [kitten] Kerberos Considerations for … Nico Williams