RE: iSCSI: Login authentication SRP/CHAP

[Paul Koning <ni1d@arrl.net>]

Excerpt of message (sent 23 October 2001) by Bill Strahm:
> ...
> I would rather that A SINGLE usable algorithm is labeled MUST implement (if
> you must in fact specify a MUST implement at all) and the others are left as
> SHOULD implment.  You are right a clear text Username-> Password-> challenge
> response works great with a secure link (heck I do it every day with SSH)
> The idea is usable...
>
> Again if the problem is that no one will implmement IPsec/use IPsec, then
> the problem seems to be with IPsec, lets either make it usable, or pick
> another security protocol that is deployable.

There seem to be two issues.

1. The IPSec requirement, as stated in the security draft, is that
integrity is mandatory but confidentiality is optional to implement.
So in fact there is no mandatory-to-implement lower layer
confidentiality mechanism that protects the login authentication
handshake.  If the only vulnerability of a proposed login
authentication protocol is in the presence of replay attacks, the
IPSec based integrity requirement suffices.  If, however, the
mechanism is vulnerable to dictionary attacks or other similar
problems that require only passive attack, then IPSec based integrity
is of no help and its status is irrelevant.

2. It is not clear whether the "rough consensus" required to
incorporate a mandate for IPSec in iSCSI exists in this working
group.  There is significant question on whether it makes technical
sense as written.

The issue with IPSec implementation/use is not a problem with IPSec
that can be resolved by picking a different security protocol.
Instead, it is with the choice of requirements as currently stated in
the security draft vs. the requirements of a major part of the user
community for iSCSI.

      paul