Re: iSCSI:SRP

[Bill Strahm <bill@strahm.net>]

While answering minor issues on why CHAP MAY not work, you haven't answered my
main objection, and that is how do you get SRP to work in a legacy RADIUS
environment.  In that environment the iSCSI endpoint WILL NOT have access
to the username/password that SRP needs to calculate the validity of the
credentials.  CHAP was designed to work with RADIUS, I do not see how I can
get SRP to work with RADIUS without upgrading the RADIUS servers to become
SRP aware and just pass the tokens to the RADIUS server and have it determine
if the credentials are valid...

This makes it very difficult for me to insert SRP into my custommers 
environments.  For that reason I MUST implement CHAP.  I prefer a single
authentication protocol, so would prefer SRP to be a SHOULD/MAY

Bill 

On Thu, Apr 04, 2002 at 05:04:03PM -0500, David Jablon wrote:
> At 04:14 PM 4/3/02 -0800, Bill Studenmund wote:
> >While I gather it wasn't always so, IPsec is now the primary form of
> >security for iSCSI connections. Whatever login method is chosen, it will
> >(should) be happening in an ESP-protected channel. ESP will be set up
> >before iSCSI login. ...
> 
> For what it's worth, I think people have already argued against that point.
> 
> >... That limits who can perform the attacks CHAP is
> >vulnerable to to persons with some level of trust on the involved
> >machines. If someone can snoop clear text which is usually protected by
> >ESP (i.e. they are root on an endpoint), then what method we choose
> >doesn't really matter; the attacker could just snoop the process's memory
> >and find the clear text password used for the authentication.
> 
> That point of the relative benefit of SRP in conjunction with IPsec
> may be true in some cases, but not others.
> One might choose to use an authentication server that, say, provides
> stronger containment of password data.  When used in conjunction with
> a strong protocol, other nodes don't get that snoop or snoop-and-crack
> capability.
> 
> -- David
>