RE: iSCSI: possible DH-CHAP rationale

To: Black_David@emc.com
Subject: RE: iSCSI: possible DH-CHAP rationale
From: "Ofer Biran" <BIRAN@il.ibm.com>
Date: Wed, 17 Apr 2002 21:11:29 +0300
Cc: ips@ece.cmu.edu
Content-type: text/plain; charset=us-ascii
Importance: Normal
Sender: owner-ips@ece.cmu.edu



David,

>That's correct, but I worry that it misses the forest for the trees.
>The upshot of this rationale seems to be that it's a reasonable
>security policy to not be worried about an attacker having one-at-a-time
>access to iSCSI systems, even if the attack providing that access
>can be replicated at will but to be sufficiently concerned about
>password compromise that provides similar access to justify deploying
>a very strong algorithm to prevent it.

I don't agree with the "can be replicated at will" and "similar access"
statements. It could be that the attacker had a one-time chance to attack
(and anyway it depends also on the initiator's will to connect again).
Obtaining the password does give a free ticket for that access and maybe
more.

  Regards,
   Ofer


Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com  972-4-8296253

Prev by Date: Re: iSCSI: DH-CHAP and SRP groups
Next by Date: Clarification of no duplicate parameter for login
Prev by thread: RE: iSCSI: possible DH-CHAP rationale
Next by thread: I-D ACTION:draft-ietf-ips-fcencapsulation-07.txt,.pdf
Index(es):
- Date
- Thread

Home

Last updated: Wed Apr 17 16:18:18 2002
9702 messages in chronological order