|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI:SRPOn Fri, 5 Apr 2002, Bernard Aboba wrote: > >I would be very comfortable saying just do CHAP over an encrypted >link, so > >you don't have the vulnerabilities of CHAP because the link >is protected > >by a must implement IPsec layer... > > The problem is that IPsec is *must implement* not *must use*. Therefore an > iSCSI authentication mechanism needs to be secure even when IPsec is not > turned on. I disagree with the premise I perceive underlying your assumption (if the premise isn't there, I apologize :-). I agree that it is important that we have secure methods for authentication. I disagree that means we HAVE to use SRP (a la MUST & friends). Even if we just chose CHAP as the minimum authentication, we have a fairly strong authentication option in the minimum-interpoerability aspect of the spec (IPsec + CHAP). Each end will be required to support it. Yes, as you point out above, an administrator might choose not to use it. Is that our problem? Our concern, yes, but isn't that fundamentally the admin's problem? s/he turned IPsec off, after all (for each end to follow the spec, it had to have been there as an option to turn off). I agree that it would be good to have alternatives, and I am happy for SRP to be one of them. But as long as we have options that the admin can turn on and off (like as long as CHAP is an option at all), an admin can get into an unsafe (insecure) operating mode. We will need to tell admins, "these settings are unsafe, don't use them w/o knowing what you're doing." Regardless of whether or not SRP is the primary authentication method. So I don't see how making SRP the primary authentication method helps any. Take care, Bill
Home Last updated: Fri Apr 12 08:18:30 2002 9620 messages in chronological order |