|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: PAK: an alternative to SRP and DH-CHAPFunny, iSCSI all ready has excellent protection from active attackers in the fact that IPsec has protection from active attackers. If you need the protection, turn on the MUST implement IPsec and be done with it. If you don't need the protection, and want some extra performance just turn off IPsec and go through your dedicated switched network that doesn't have the ability for an unknown attacker to sit in the middle... Why are we still wasting time on this ??? Bill On Mon, Apr 29, 2002 at 06:28:27PM -0400, Philip MacKenzie wrote: > > So is the goal of the working group now to propose a "new and > > improved" authentication method every 2 months so we can never > > make forward progress... > > > > > I hope not. I simply believe that password authentication > with no security against active attacks is not a good idea, > and thought that I could bring a protocol that has advantages > over the current alternatives. I hope that is progress. > > > > I have no problems with having the ability to use optional > > authentication methods, but we need to be VERY careful of specifying > > MUST/SHOULD algorithms, and the number should be really small, > > VERY well understood, and as widespread as possible. > > > > > Agreed. > > > >>From my understaning of PAK, I don't see a way of plugging this into > > a legacy RADIUS environment (I don't have the password avail at the > > iSCSI endpoint, only the ability to say please authenticate this for me) > > > > > I also do not see a way to plug PAK into RADIUS. I don't > believe any password authentication protocol with security > against active attacks could work with RADIUS. > > -Phil > > >
Home Last updated: Tue Apr 30 10:18:33 2002 9878 messages in chronological order |