SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI:SRP



    At 04:14 PM 4/3/02 -0800, Bill Studenmund wote:
    >While I gather it wasn't always so, IPsec is now the primary form of
    >security for iSCSI connections. Whatever login method is chosen, it will
    >(should) be happening in an ESP-protected channel. ESP will be set up
    >before iSCSI login. ...
    
    For what it's worth, I think people have already argued against that point.
    
    >... That limits who can perform the attacks CHAP is
    >vulnerable to to persons with some level of trust on the involved
    >machines. If someone can snoop clear text which is usually protected by
    >ESP (i.e. they are root on an endpoint), then what method we choose
    >doesn't really matter; the attacker could just snoop the process's memory
    >and find the clear text password used for the authentication.
    
    That point of the relative benefit of SRP in conjunction with IPsec
    may be true in some cases, but not others.
    One might choose to use an authentication server that, say, provides
    stronger containment of password data.  When used in conjunction with
    a strong protocol, other nodes don't get that snoop or snoop-and-crack
    capability.
    
    -- David
    
    


Home

Last updated: Thu Apr 04 14:18:20 2002
9498 messages in chronological order