RE: iSCSI: Login authentication SRP/CHAP

[Paul Koning <ni1d@arrl.net>]

Excerpt of message (sent 24 October 2001) by Bill Strahm:
> What do you mean... I have a MUST implement 3DES, SHA1, MD5, and DES (from
> the IPsec requirements) all though IPS wants to put a SHOULD NOT implement
> DES requirement in...

I thought that the IPS security draft made confidentiality optional,
but apparently either I'm confused or I was thinking about an older
version of that spec.

> ...  Just because
> a link isn't encrypted doesn't mean it isn't secure (I can have a link in a
> guarded and locked room surrounded by M-16 wielding Marines -- I defy you to
> snoop it)

Agreed, which is one of the problems with an IPSec (or other crypto)
mandate.

> I disagree with your call saying that there is not rough concensus to use
> IPsec with iSCSI.  I believe David Black (correct me if I am wrong here
> David) has said the group has rough concensus to use IPsec as the security
> solution.  Now it might be that the rough concensus is there because it is a
> forced solution from the IESG, ...

That's a peculiar use of the term "consensus", if your speculation is
accurate.  My comment was based on observation of this list: I've seen
a bunch of debate on the topic, and my reading of it is that there was
(a) substantial opposition, (b) no clear technical justification for
why "MUST" was needed.  My reading of the IETF standards process is
that technical considerations are supposed to govern standardization
decisions, which is why I raised the point.

     paul