SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI Security rough consensus



    >P.S.  Yes, I know that in fact there will need to be some
    >specifications written to indicate how to get from the SRP or CHAP
    >keying information to the low-level details of ESP, probably using an
    >AES cipher suite for speed.  The hope was to keep this part small and
    >simple enough that that it wouldn't actually be an explicit key
    >management layer ala IKE and KINK, although of course it would have to
    >perform at least a little of such functions.
    
    I wouldn't use "CHAP" and "keying information" in the same sentence.
    CHAP can't be use to derive credible keys, and it's quite vulnerable
    to dictionary attack. So it's one of the least desirable choices.
    
    The "specifications" for SRP keying, while simpler than IKE, 
    will probably end up deriving something quite similar to the keying
    material needed for Phase 1 and Phase 2 SAs, unless we can 
    convince ourselves that we really only need the equivalent of
    Phase 1. And re-key is probably required, too.
    
    But before we go down this road, I would *really* like to see
    a requirements document, spelling out what is needed and why
    in some detail. Not being a SCSI expert, it's sometimes hard
    to separate what iSCSI requires from what folks think IPSEC
    can deliver. If the requirements and justification were laid
    out in detail, I suspect the road ahead would be more obvious.
    
    Note that if the issue is purely password auth, then aggressive
    mode may be a potential answer. With SRP the identities are
    exposed anyway so one could hardly object to agresive mode on
    that score. If the issue is access to code, well
    there are open source IKE implementations at this point.
    SRP is actually slower than IKE computationally, so speed 
    can't be an argument. 
    
    
    


Home

Last updated: Tue Sep 04 01:04:43 2001
6315 messages in chronological order