Re: iSCSI: PAK: an alternative to SRP and DH-CHAP

[Bill Strahm <bill@strahm.net>]

Funny, iSCSI all ready has excellent protection from active attackers 
in the fact that IPsec has protection from active attackers.  If you 
need the protection, turn on the MUST implement IPsec and be done with
it.  If you don't need the protection, and want some extra performance
just turn off IPsec and go through your dedicated switched network that
doesn't have the ability for an unknown attacker to sit in the middle...

Why are we still wasting time on this ???

Bill
On Mon, Apr 29, 2002 at 06:28:27PM -0400, Philip MacKenzie wrote:
> > So is the goal of the working group now to propose a "new and 
> > improved" authentication method every 2 months so we can never
> > make forward progress...
> > 
> 
> 
> I hope not.  I simply believe that password authentication
> with no security against active attacks is not a good idea,
> and thought that I could bring a protocol that has advantages
> over the current alternatives.  I hope that is progress.
> 
> 
> > I have no problems with having the ability to use optional 
> > authentication methods, but we need to be VERY careful of specifying
> > MUST/SHOULD algorithms, and the number should be really small, 
> > VERY well understood, and as widespread as possible.
> > 
> 
> 
> Agreed.
> 
> 
> >>From my understaning of PAK, I don't see a way of plugging this into
> > a legacy RADIUS environment (I don't have the password avail at the 
> > iSCSI endpoint, only the ability to say please authenticate this for me)
> > 
> 
> 
> I also do not see a way to plug PAK into RADIUS.  I don't
> believe any password authentication protocol with security
> against active attacks could work with RADIUS.
> 
> -Phil
> 
> 
>