Re: ISCSI: User authentication vs. Machine Authentication for iSCSI

To: John Hufferd <hufferd@us.ibm.com>
Subject: Re: ISCSI: User authentication vs. Machine Authentication for iSCSI
From: Mark Bakke <mbakke@cisco.com>
Date: Fri, 31 Aug 2001 12:48:33 -0500
CC: Bill Strahm <bill@sanera.net>, "Ips@Ece. Cmu. Edu" <ips@ece.cmu.edu>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <OF7F53A14D.D8E9C3B4-ON88256AB7.0061F075@boulder.ibm.com>
Sender: owner-ips@ece.cmu.edu

John-

Just wanted to point out that CHAP does not send passwords
in the clear; it hashes them.  The reason that SRP was chosen
as the MUST over CHAP is that in a non-IPsec environment, 
the CHAP exchange is not as robust as SRP's exchange, and is
more vulnerable to some types of attacks (I can't remember
which ones off-hand).  IPsec provides an authenticated
environment in which to do the CHAP exchange, which takes
care of these potential problems.

--
Mark

John Hufferd wrote:
> 3. Chap can  be used in this environment since the Link is already secure
> and encrypted, and sending the password in what otherwise would have been
> in the clear, is protected by the link encryption.

-- 
Mark A. Bakke
Cisco Systems
mbakke@cisco.com
763.398.1054

References:
- Re: ISCSI: User authentication vs. Machine Authentication for iSCSI
  - From: "John Hufferd" <hufferd@us.ibm.com>

Prev by Date: iSCSI: error recovery striation for rev08 (Was: iSCSI - open issues - no discussion - recovery levels)
Next by Date: Re: IPS Draft charter revision
Prev by thread: Re: ISCSI: User authentication vs. Machine Authentication for iSCSI
Next by thread: RE: ISCSI: User authentication vs. Machine Authentication for iSCSI
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:03:48 2001
6315 messages in chronological order