SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI:SRP



    David,
    
    Interesting issue.  In practice, many sites with substantial 
    RADIUS authentication needs (e.g. diaup POPs, etc) rely on 
    a separate, isolated network for authentication traffic, 
    network management via SNMP, etc to avoid concerns such 
    as you mention, as well as avoiding DoS attacks 
    from the outside directed at the RADIUS infrastructure.
    
    Alternatives that can provide comparable security in a flat, 
    open network environment are desirable, so it seems
    that some wording is needed to describe this risk and offer 
    other solutions, which might include using IPsec to the RADIUS
    server, or applying IP filtering in your network infrastructure 
    to prevent unwanted propagation of RADIUS messages.  
    On the other hand, a fix involving replacing or upgrading 
    the RADIUS infrastructure has a pretty high barrier to 
    deployment, and should be avoided if possible.
    
    - milan
    
    > -----Original Message-----
    > From: Black_David@emc.com [mailto:Black_David@emc.com]
    > Sent: Thursday, April 04, 2002 2:44 PM
    > 
    >  *snip*
    > 
    > In the hopes of getting this back onto a more productive path, let
    > me toss in a technical issue.  DH-CHAP will be compatible 
    > with existing RADIUS servers (same signature format, and the recipient of 
    > the response can compute the challenge was that the sender should have
    signed), BUT
    > ... there's a problematic security issue.  Existing RADIUS servers
    > want the challenge and response sent to them, over connections that
    > usually aren't encrypted.  If the DH-CHAP response and computed
    > challenge are sent over such a connection, a passive eavesdropper on
    > that connection gains the material to mount a dictionary attack as
    > if she'd monitored a CHAP exchange (i.e., sending the DH-CHAP results
    > to RADIUS in the clear may negate the DH advantages).  This would be
    > a major drawback to using DH-CHAP with existing RADIUS (and the like)
    > servers if one can generally expect an eavesdropper on the IP Storage
    > connection to also be able to eavesdrop on the connection to the
    > RADIUS server - do people think that is likely to be or not be the
    > case in general, and why?
    > 
    >  
    


Home

Last updated: Thu Apr 04 19:18:20 2002
9515 messages in chronological order