SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI: Login authentication SRP/CHAP



    Excerpt of message (sent 23 October 2001) by Bill Strahm:
    > ...
    > I would rather that A SINGLE usable algorithm is labeled MUST implement (if
    > you must in fact specify a MUST implement at all) and the others are left as
    > SHOULD implment.  You are right a clear text Username-> Password-> challenge
    > response works great with a secure link (heck I do it every day with SSH)
    > The idea is usable...
    >
    > Again if the problem is that no one will implmement IPsec/use IPsec, then
    > the problem seems to be with IPsec, lets either make it usable, or pick
    > another security protocol that is deployable.
    
    There seem to be two issues.
    
    1. The IPSec requirement, as stated in the security draft, is that
    integrity is mandatory but confidentiality is optional to implement.
    So in fact there is no mandatory-to-implement lower layer
    confidentiality mechanism that protects the login authentication
    handshake.  If the only vulnerability of a proposed login
    authentication protocol is in the presence of replay attacks, the
    IPSec based integrity requirement suffices.  If, however, the
    mechanism is vulnerable to dictionary attacks or other similar
    problems that require only passive attack, then IPSec based integrity
    is of no help and its status is irrelevant.
    
    2. It is not clear whether the "rough consensus" required to
    incorporate a mandate for IPSec in iSCSI exists in this working
    group.  There is significant question on whether it makes technical
    sense as written.
    
    The issue with IPSec implementation/use is not a problem with IPSec
    that can be resolved by picking a different security protocol.
    Instead, it is with the choice of requirements as currently stated in
    the security draft vs. the requirements of a major part of the user
    community for iSCSI.
    
          paul
    
    


Home

Last updated: Wed Oct 24 12:17:32 2001
7353 messages in chronological order