|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI:SRPDavid, Interesting issue. In practice, many sites with substantial RADIUS authentication needs (e.g. diaup POPs, etc) rely on a separate, isolated network for authentication traffic, network management via SNMP, etc to avoid concerns such as you mention, as well as avoiding DoS attacks from the outside directed at the RADIUS infrastructure. Alternatives that can provide comparable security in a flat, open network environment are desirable, so it seems that some wording is needed to describe this risk and offer other solutions, which might include using IPsec to the RADIUS server, or applying IP filtering in your network infrastructure to prevent unwanted propagation of RADIUS messages. On the other hand, a fix involving replacing or upgrading the RADIUS infrastructure has a pretty high barrier to deployment, and should be avoided if possible. - milan > -----Original Message----- > From: Black_David@emc.com [mailto:Black_David@emc.com] > Sent: Thursday, April 04, 2002 2:44 PM > > *snip* > > In the hopes of getting this back onto a more productive path, let > me toss in a technical issue. DH-CHAP will be compatible > with existing RADIUS servers (same signature format, and the recipient of > the response can compute the challenge was that the sender should have signed), BUT > ... there's a problematic security issue. Existing RADIUS servers > want the challenge and response sent to them, over connections that > usually aren't encrypted. If the DH-CHAP response and computed > challenge are sent over such a connection, a passive eavesdropper on > that connection gains the material to mount a dictionary attack as > if she'd monitored a CHAP exchange (i.e., sending the DH-CHAP results > to RADIUS in the clear may negate the DH advantages). This would be > a major drawback to using DH-CHAP with existing RADIUS (and the like) > servers if one can generally expect an eavesdropper on the IP Storage > connection to also be able to eavesdrop on the connection to the > RADIUS server - do people think that is likely to be or not be the > case in general, and why? > >
Home Last updated: Thu Apr 04 19:18:20 2002 9515 messages in chronological order |