DHCHAP / FC-SP Cannot Use SHA-1 as the Hash Algorithm

When configuring DHCHAP / FC-SP on MDS switches there are a few parameters you can set.  Among these is the Hash type, which can be MD5 or SHA-1.  By default the MDS will first try MD5 and then try SHA-1.  You can set this to be just MD5, just SHA-1 or SHA-1 then MD5 as well.

If you try to use SHA-1 with AAA RADIUS or TACACS+ authentication it will fail.  Even if you specify to try SHA-1 first and then MD5 second, the entire authentication type will fail, just as if the AAA server was not reachable, and it will try the next AAA type configured, for example local, which is always present, although hidden in the config.

You would think that if you configured to try SHA-1 first and then MD5, it would simply fail on the SHA-1 and then try MD5.  The hash types are sent in a HashList field in the FC-SP Exchange.  This is not the case however.  This is mentioned in the MDS configuration guide as follows:

Caution RADIUS and TACACS+ protocols always use MD5 for CHAP authentication. Using SHA-1 as the hash algorithm may prevent RADIUS and TACACS+ usage—even if these AAA protocols are enabled for DHCHAP authentication.

Personally I think its a bit misleading, because unless someone can offer up an exception, I believe that it will not work, not may not work.

T11 goes on to explain this in their document Annex-A FC-SP RADIUS Implementation Guide (Informative). Here is some relevant information from the document.

A.3.3 Digest Algorithm
Use of SHA-1 is allowed in FC-SP but will lead to interoperability issues with existing implementations that are built around MD5. MD5 is needed for interoperation with existing RADIUS Server implementations. Since SHA-1 is stronger than MD5, it can be used where legacy interoperation is not needed. Both algorithms can coexist in the same SAN.

Basically the document gives the architecture of the FC-SP protocol with regard to RADIUS and gives several examples where in order to support SHA-1 the protocol would need to be modified in such a way that would break legacy RADIUS implementations.

Just something to keep in mind when configuring FC-SP with SHA-1 and using AAA RADIUS or TACACS+. This limitation does not exist with local authentication.

This entry was posted in CCIE Storage, FCSP and tagged , , , , , . Bookmark the permalink.

1 Response to DHCHAP / FC-SP Cannot Use SHA-1 as the Hash Algorithm

Leave a Reply