Re: [storm] [kitten] Kerberos Considerations for iSCSI Authentication
Nico Williams <nico@cryptonector.com> Wed, 29 May 2013 20:17 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: storm@ietfa.amsl.com
Delivered-To: storm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F2D021F8ED8; Wed, 29 May 2013 13:17:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.377
X-Spam-Level:
X-Spam-Status: No, score=-1.377 tagged_above=-999 required=5 tests=[AWL=0.600, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OcHpjbwq-BrO; Wed, 29 May 2013 13:17:53 -0700 (PDT)
Received: from homiemail-a90.g.dreamhost.com (mailbigip.dreamhost.com [208.97.132.5]) by ietfa.amsl.com (Postfix) with ESMTP id 9759B21F8E76; Wed, 29 May 2013 13:17:53 -0700 (PDT)
Received: from homiemail-a90.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a90.g.dreamhost.com (Postfix) with ESMTP id A0DBF2AC0A9; Wed, 29 May 2013 13:17:51 -0700 (PDT)
Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a90.g.dreamhost.com (Postfix) with ESMTPSA id D765C2AC0DB; Wed, 29 May 2013 13:16:22 -0700 (PDT)
Received: by mail-wi0-f173.google.com with SMTP id hi5so3927927wib.6 for <multiple recipients>; Wed, 29 May 2013 13:15:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=cH9Qd6mPXz5OIJvcUd+7TbHIE7iSSQKXFt8y1l+B1rU=; b=KvMMqLoi039XlY3zwkUoU11sbHV+W3OLlPXvhUNoMzCLPELABE9cY/j5MiBjqxx4DF uFidGQMtGVCZvK2m+Pg/Qmk/pTLY7U3067SweY+K8EUvfCNDQEvWz79lR5zs0YeYxN6M 9sPeCwswJygv1LjE1CQK5iJf80o9QRHxmlDpeGLVc+yYq9pgA1a3drKrrXzQUdT2Xu4g 9WJeWQJSECjJGKUmzttODmZer5fgwdUSY7Eq3/StYMRFh6w4vzOc0EE6SUYrb9xeGbfG NMxq4ijaShABg4Gy6zDa4xcfu69M5vvIyrEhRSJFqzwbfp5ly6hZ3dd+6X/hl8f3cZNg 5iRA==
MIME-Version: 1.0
X-Received: by 10.194.83.5 with SMTP id m5mr2283589wjy.20.1369858532730; Wed, 29 May 2013 13:15:32 -0700 (PDT)
Received: by 10.216.63.136 with HTTP; Wed, 29 May 2013 13:15:32 -0700 (PDT)
In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE71296A3C67D@MX15A.corp.emc.com>
References: <8D3D17ACE214DC429325B2B98F3AE71296A3C67D@MX15A.corp.emc.com>
Date: Wed, 29 May 2013 15:15:32 -0500
Message-ID: <CAK3OfOhSHT=2H1PwUr62t0UrnMFLHh17znfTsB_RuoVMRF6EcQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: "Black, David" <david.black@emc.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailman-Approved-At: Thu, 30 May 2013 08:02:01 -0700
Cc: "kitten@ietf.org" <kitten@ietf.org>, "storm@ietf.org" <storm@ietf.org>
Subject: Re: [storm] [kitten] Kerberos Considerations for iSCSI Authentication
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2013 20:18:00 -0000
On Wed, May 29, 2013 at 9:43 AM, Black, David <david.black@emc.com> wrote: > I do want to head off one area of comments - please send any "you > should use GSS-API" comments to /dev/null. iSCSI was specified to use > Kerberos w/o GSS-API a long time ago, so GSS-API for iSCSI would be a > new iSCSI authentication mechanism that should be in a separate draft, > as opposed to this update (which is already long enough). Other comments to head of: - Kebreros <-> IPsec binding? never mind; we failed to get uptake on RFC5660. > ------------------ > > 9.2.3 Kerberos Considerations for iSCSI Authentication > > iSCSI uses Kerberos via "bare" tokens - i.e. does not use GSS-API ([RFC4121]) - > for authenticating the two Kerberos principals during the iSCSI Login process. s/tokens/PDUs/ (and define the term: Protocol Data Unit). Or better: NEW: iSCSI uses raw Kerberos V5 [RFC4120] for authenticating a client (iSCSI initiator) principal to a service (iSCSI target) principal. Note that iSCSI does not use the Generic Security Services Application Programming Interface (GSS-API) [RFC2743] nor the Kerberos V5 GSS-API security mechanism [RFC4121]. > This implies that iSCSI implementations supporting the KRB5 AuthMethod > (Section 12.1) are directly involved in the Kerberos protocol. Specifically, > the following actions MUST be performed as specified in [RFC4120]: The first sentence of the above para says nothing to me :( Remove it? > - Target MUST validate the KRB_AP_REQ to ensure that the > initiator can be trusted > - When mutual authentication is selected, the initiator > MUST validate KRB_AP_REP > to determine the outcome of mutual authentication Yes. (Assuming there's text elsewhere saying that these PDUs have to be sent and received in order to validate them :) > As Kerberos V5 is capable of providing mutual authentication, implementations > SHOULD support mutual authentication by default for login authentication. Is there a reason not to make this a MUST? > Note however that Kerberos authentication only assures that the server > (iSCSI target) can be trusted by the Kerberos client (initiator) and > vice-versa; an initiator should employ appropriately secured service > discovery techniques (e.g. iSNS, Section 4.2.7) to ensure that it is > talking to the intended target principal. Some text somewhere should note that Kerberos is not used to provide integrity nor confidentiality protection to the iSCSI protocol (and that only IPsec does, and so on). Nico --
- [storm] Kerberos Considerations for iSCSI Authent… Black, David
- Re: [storm] [kitten] Kerberos Considerations for … Black, David
- Re: [storm] [kitten] Kerberos Considerations for … Nico Williams