On Fri, 2021-03-19 at 14:15 +0100, Laszlo Ersek wrote:
Hi,
RFC 7143 requires CHAP-MD5 as a mandatory option offered by an iscsi client (initiator).
At the same time, edk2 has deprecated MD5 in general, as a cryptographically weak hash algorithm.
Consequently, the "NetworkDefines.dsc.inc" file defines NETWORK_ISCSI_ENABLE with default value FALSE (commit 4ecb1ba5efa3 / TianoCore#3003). Platforms that want to include IScsiDxe need to opt in consciously to the presence of CHAP-MD5 in the code.
We're not happy with this granularity. We'd prefer:
- explicitly breaking RFC 7143 conformance, - removing CHAP-MD5, - and using an IScsiDxe variant that is honest about having no confidentiality / integrity.
IScsiDxe is safe on a trusted network, and only on a trusted network. The presence of CHAP-MD5 suggests it may be safe on an untrusted network too, and that implication (not the whole iscsi client functionality) is what we should rid ourselves of.
Lazlo, This sounds like the right direction to me.
My 2C, Simo.
Are NetworkPkg maintainers open to breaking RFC 7143 conformance in IScsiDxe (perhaps with a feature PCD?), or should we look into this only downstream?
Downstream, we might decide to drop IScsiDxe altogether, in sync with the upstream NETWORK_ISCSI_ENABLE=FALSE default -- that decision has not been made yet. Now I'm just testing whether keeping IScsiDxe enabled down-stream would require us to carry downstream-only patches.
