|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI Security rough consensusSee below: > > > > By comparison to full IPSec with IKE, using > > > SRP to key ESP does not improve security. > > Actually, if the comparison is SRP vs. IKE using shared keys, > that's not > really true. IKE Shared Key auth is susceptible to man-in-the-middle > attack in that in Main Mode unless the IP addresses of the > correspondents > are fixed, there is no way to tie an IP address to an > appropriate shared > key. In practice this means the shared group keys must be > used. Using the > same shared group key to protect iSCSI for thousands of > initiators lacks > credibility, because anyone with the group key (e.g. anyone > in the entire > org) can impersonate anyone else. Thus for IKE use in iSCSI, > it would seem > that only cert-based auth is tenable. In the most recent > survey data I've > seen, less than 15 percent of enterprises have any plans to deploy > certificates. So unless you've got a credible transition solution > (e.g. GetCert, PIC, etc.) it'll be a hard sell. ...perhaps only 15% of enterprises ARE concerned about security. I don't know...just wondering.... I don't know if this is that hard of a sell, since there are already many available products that do cert-based IKE authentication. The availability of certificate-based products and infrastructure is NOT a barrier. > > On the other hand, with SRP, it is possible to identify the endpoints > prior to authentication a la aggressive mode, and thus to maintain > separate passwords for each initiator-target pair. SRP is resistent to > dictionary attacks or compromise of the password database. > > > What I think I'm hearing you say is that you > > are evaluating whether to REQUIRE SRP keying of > > ESP/IPSec because its easier to do than IKE. > > Ease of implementation is *not* the only issue. There is a > functionality > issue as well. If you need shared key authentication for hosts with > dynamic IP addresses, IKE Main Mode is not a credible solution. For authentication of hosts with dynamic IP addresses, I could use IKE with cert-based FQDN (or iSCSI Name) authentication. That is just as viable as SRP keying of ESP/IPSec. Or if security is that important to me, I wouldn't use dynamic IP addresses. All I am saying is that SRP keying of ESP isn't the only choice. That's why it shouldn't be REQUIRED. Josh > >
Home Last updated: Tue Sep 04 01:04:46 2001 6315 messages in chronological order |