Re: iSCSI: Authentication thoughts

To: ssenum@cisco.com
Subject: Re: iSCSI: Authentication thoughts
From: Paul Koning <ni1d@arrl.net>
Date: Tue, 30 Apr 2002 12:34:03 -0400
Cc: ips@ece.cmu.edu
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <277DD60FB639D511AC0400B0D068B71E04D63422@CORPMX14><3CCDCE2C.C450ABB8@cisco.com>
Sender: owner-ips@ece.cmu.edu

Excerpt of message (sent 29 April 2002) by Steve Senum:
> I would be favor of CHAP (with machine
> generated keys) as the mandatory protocol.

I agree about CHAP.

It's not clear to me that the spec can require a particular
operational procedure on the part of the users of iSCSI.  It makes a
lot of sense to say "machine generated 'passwords' are recommended for
best security" but I don't know how we could operationally mandate the
use of generated keys.

> If the user requires better security, I believe
> IPsec should be used.

Agreed.  For example, that will take care of the "wimpy active attack"
vs. "really good active attack" issue.  IPsec foils both.

    paul

References:
- iSCSI: Authentication thoughts
  - From: Black_David@emc.com
- Re: iSCSI: Authentication thoughts
  - From: Steve Senum <ssenum@cisco.com>

Prev by Date: Re: iSCSI 4.1 & 4.2
Next by Date: Re: iSCSI: RE: iSCSI 4.1 & 4.2
Prev by thread: Re: iSCSI: Authentication thoughts
Next by thread: Re: iSCSI: PAK: an alternative to SRP and DH-CHAP
Index(es):
- Date
- Thread

Home

Last updated: Tue Apr 30 13:18:30 2002
9887 messages in chronological order