RE: iSCSI Security rough consensus

To: "'Bernard Aboba'" <aboba@internaut.com>
Subject: RE: iSCSI Security rough consensus
From: Joshua Tseng <jtseng@NishanSystems.com>
Date: Fri, 4 May 2001 17:07:48 -0700
Cc: "'Black_David@emc.com'" <Black_David@emc.com>, ips@ece.cmu.edu
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

See below:
> 
> > > By comparison to full IPSec with IKE, using
> > > SRP to key ESP does not improve security.
> 
> Actually, if the comparison is SRP vs. IKE using shared keys, 
> that's not
> really true. IKE Shared Key auth is susceptible to man-in-the-middle
> attack in that in Main Mode unless the IP addresses of the 
> correspondents
> are fixed, there is no way to tie an IP address to an 
> appropriate shared
> key. In practice this means the shared group keys must be 
> used. Using the
> same shared group key to protect iSCSI for thousands of 
> initiators lacks
> credibility, because anyone with the group key (e.g. anyone 
> in the entire
> org) can impersonate anyone else. Thus for IKE use in iSCSI, 
> it would seem
> that only cert-based auth is tenable. In the most recent 
> survey data I've
> seen, less than 15 percent of enterprises have any plans to deploy
> certificates. So unless you've got a credible transition solution
> (e.g. GetCert, PIC, etc.) it'll be a hard sell.

...perhaps only 15% of enterprises ARE concerned about security.
I don't know...just wondering....

I don't know if this is that hard of a sell, since there
are already many available products that do cert-based
IKE authentication.  The availability of certificate-based
products and infrastructure is NOT a barrier.

> 
> On the other hand, with SRP, it is possible to identify the endpoints
> prior to authentication a la aggressive mode, and thus to maintain
> separate passwords for each initiator-target pair. SRP is resistent to
> dictionary attacks or compromise of the password database. 
> 
> > What I think I'm hearing you say is that you
> > are evaluating whether to REQUIRE SRP keying of
> > ESP/IPSec because its easier to do than IKE.
> 
> Ease of implementation is *not* the only issue. There is a 
> functionality
> issue as well. If you need shared key authentication for hosts with
> dynamic IP addresses, IKE Main Mode is not a credible solution. 

For authentication of hosts with dynamic IP addresses, I could
use IKE with cert-based FQDN (or iSCSI Name) authentication.
That is just as viable as SRP keying of ESP/IPSec.  Or if security
is that important to me, I wouldn't use dynamic IP addresses.  All
I am saying is that SRP keying of ESP isn't the only choice.  That's
why it shouldn't be REQUIRED.

Josh
> 
>

Prev by Date: RE: iSCSI Security rough consensus
Next by Date: RE: iSCSI: multiple sessions b/n a pair of WWUIs.
Prev by thread: RE: iSCSI Security rough consensus
Next by thread: RE: iSCSI Security rough consensus
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:04:46 2001
6315 messages in chronological order