SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI Security rough consensus



    See below:
    > 
    > > > By comparison to full IPSec with IKE, using
    > > > SRP to key ESP does not improve security.
    > 
    > Actually, if the comparison is SRP vs. IKE using shared keys, 
    > that's not
    > really true. IKE Shared Key auth is susceptible to man-in-the-middle
    > attack in that in Main Mode unless the IP addresses of the 
    > correspondents
    > are fixed, there is no way to tie an IP address to an 
    > appropriate shared
    > key. In practice this means the shared group keys must be 
    > used. Using the
    > same shared group key to protect iSCSI for thousands of 
    > initiators lacks
    > credibility, because anyone with the group key (e.g. anyone 
    > in the entire
    > org) can impersonate anyone else. Thus for IKE use in iSCSI, 
    > it would seem
    > that only cert-based auth is tenable. In the most recent 
    > survey data I've
    > seen, less than 15 percent of enterprises have any plans to deploy
    > certificates. So unless you've got a credible transition solution
    > (e.g. GetCert, PIC, etc.) it'll be a hard sell.
    
    ...perhaps only 15% of enterprises ARE concerned about security.
    I don't know...just wondering....
    
    I don't know if this is that hard of a sell, since there
    are already many available products that do cert-based
    IKE authentication.  The availability of certificate-based
    products and infrastructure is NOT a barrier.
    
    > 
    > On the other hand, with SRP, it is possible to identify the endpoints
    > prior to authentication a la aggressive mode, and thus to maintain
    > separate passwords for each initiator-target pair. SRP is resistent to
    > dictionary attacks or compromise of the password database. 
    > 
    > > What I think I'm hearing you say is that you
    > > are evaluating whether to REQUIRE SRP keying of
    > > ESP/IPSec because its easier to do than IKE.
    > 
    > Ease of implementation is *not* the only issue. There is a 
    > functionality
    > issue as well. If you need shared key authentication for hosts with
    > dynamic IP addresses, IKE Main Mode is not a credible solution. 
    
    For authentication of hosts with dynamic IP addresses, I could
    use IKE with cert-based FQDN (or iSCSI Name) authentication.
    That is just as viable as SRP keying of ESP/IPSec.  Or if security
    is that important to me, I wouldn't use dynamic IP addresses.  All
    I am saying is that SRP keying of ESP isn't the only choice.  That's
    why it shouldn't be REQUIRED.
    
    Josh
    > 
    > 
    


Home

Last updated: Tue Sep 04 01:04:46 2001
6315 messages in chronological order