SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: iSCSI:SRP



    On Fri, 5 Apr 2002, Bernard Aboba wrote:
    
    > >I would be very comfortable saying just do CHAP over an encrypted >link, so
    > >you don't have the vulnerabilities of CHAP because the link >is protected
    > >by a must implement IPsec layer...
    >
    > The problem is that IPsec is *must implement* not *must use*. Therefore an
    > iSCSI authentication mechanism needs to be secure even when IPsec is not
    > turned on.
    
    I disagree with the premise I perceive underlying your assumption (if the
    premise isn't there, I apologize :-). I agree that it is important that
    we have secure methods for authentication. I disagree that means we HAVE
    to use SRP (a la MUST & friends).
    
    Even if we just chose CHAP as the minimum authentication, we have a fairly
    strong authentication option in the minimum-interpoerability aspect of the
    spec (IPsec + CHAP). Each end will be required to support it. Yes, as you
    point out above, an administrator might choose not to use it. Is that our
    problem? Our concern, yes, but isn't that fundamentally the admin's
    problem? s/he turned IPsec off, after all (for each end to follow the
    spec, it had to have been there as an option to turn off).
    
    I agree that it would be good to have alternatives, and I am happy for SRP
    to be one of them. But as long as we have options that the admin can turn
    on and off (like as long as CHAP is an option at all), an admin can get
    into an unsafe (insecure) operating mode. We will need to tell admins,
    "these settings are unsafe, don't use them w/o knowing what you're doing."
    Regardless of whether or not SRP is the primary authentication method.
    
    So I don't see how making SRP the primary authentication method helps any.
    
    Take care,
    
    Bill
    
    

    • References:
      • Re: iSCSI:SRP
        • From: "Bernard Aboba" <bernard_aboba@hotmail.com>


Home

Last updated: Fri Apr 12 08:18:30 2002
9620 messages in chronological order