Re: iSCSI: PAK: an alternative to SRP and DH-CHAP

To: bill@strahm.net
Subject: Re: iSCSI: PAK: an alternative to SRP and DH-CHAP
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
Date: Fri, 03 May 2002 10:40:02 -0700
Cc: philmac@research.bell-labs.com, ips@ece.cmu.edu
Content-Type: text/plain; format=flowed
Sender: owner-ips@ece.cmu.edu

>I'd almost buy this argument, except that means that my custommers will
>have to upgrade their environments to an updated Radius server.  >Putting 
>deployment requirements like this on custommers is not an easy >thing...

This used to be a reasonable argument when most RADIUS servers didn't 
support extensible authentication, but that isn't true anymore. Today 
customers who don't want to upgrade legacy servers often go out and buy a 
new set of servers supporting extensible authentication and deploy it for 
the new application only. That way they don't have to worry about the 
upgrades breaking legacy applications, yet they can still support new 
applications.

Also, if we were to restrict IETF authentication methods to those supported 
in RFC 2865, that would mean that that the only acceptable algorithm would 
be CHAP. Given that CHAP doesn't support mutual authentication and has a 
dictionary attack vulnerability, that seems like too tight a straightjacket 
to put ourselves in.

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

Prev by Date: Comments on v12 of iSCSI Specification
Next by Date: Re: iSCSI - re-phrase of 4.1
Prev by thread: Re: iSCSI: PAK: an alternative to SRP and DH-CHAP
Next by thread: Re: iSCSI: PAK: an alternative to SRP and DH-CHAP
Index(es):
- Date
- Thread

Home

Last updated: Fri May 03 14:18:27 2002
9960 messages in chronological order