|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI:SRPAt 04:14 PM 4/3/02 -0800, Bill Studenmund wote: >While I gather it wasn't always so, IPsec is now the primary form of >security for iSCSI connections. Whatever login method is chosen, it will >(should) be happening in an ESP-protected channel. ESP will be set up >before iSCSI login. ... For what it's worth, I think people have already argued against that point. >... That limits who can perform the attacks CHAP is >vulnerable to to persons with some level of trust on the involved >machines. If someone can snoop clear text which is usually protected by >ESP (i.e. they are root on an endpoint), then what method we choose >doesn't really matter; the attacker could just snoop the process's memory >and find the clear text password used for the authentication. That point of the relative benefit of SRP in conjunction with IPsec may be true in some cases, but not others. One might choose to use an authentication server that, say, provides stronger containment of password data. When used in conjunction with a strong protocol, other nodes don't get that snoop or snoop-and-crack capability. -- David
Home Last updated: Thu Apr 04 14:18:20 2002 9498 messages in chronological order |