Re: iSCSI: DH-CHAP resolution

To: "Elizabeth G. Rodriguez" <Elizabeth.G.Rodriguez@123mail.net>
Subject: Re: iSCSI: DH-CHAP resolution
From: Philip MacKenzie <philmac@research.bell-labs.com>
Date: Thu, 09 May 2002 09:32:38 -0400
CC: ips@ece.cmu.edu
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii; format=flowed
Organization: Bell Labs, Lucent Technologies
References: <009001c1f5f5$44a289e0$1defc0d8@EGRodriguez>
Sender: owner-ips@ece.cmu.edu
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1

Well, it looks like everything is going to CHAP.

Before these last messages came out, I had already
basically written up a document describing what I see
are the main issues in authentication in iSCSI, along
with the alternative approaches and their advantages and
disadvantages.  For anyone who's interested, you can find
it at:

http://cm.bell-labs.com/who/philmac/research/iscsi-authentication

The last paragraph of that document desribes another
approach that may be appropriate for iSCSI:
Use CHAP with long keys, and if someone wants
password authentication with high security, use
another protocol *completely separate from iSCSI*
to download user credentials (i.e., the long key for use
with CHAP in iSCSI).  Hopefully this protocol would
be secured with PAK, or some other strong password
authentication key exchange protocol, but that does not
affect iSCSI.

This type of approach is used in Plan 9.  It is also similar
to an approach currently being considered in the ipsra
working group.

-Phil

Follow-Ups:
- Re: iSCSI: DH-CHAP resolution
  - From: "Theodore Ts'o" <tytso@mit.edu>

References:
- iSCSI: DH-CHAP resolution
  - From: "Elizabeth G. Rodriguez" <Elizabeth.G.Rodriguez@123mail.net>

Prev by Date: UNH page link
Next by Date: Re: iSCSI: NOP-In
Prev by thread: iSCSI: DH-CHAP resolution
Next by thread: Re: iSCSI: DH-CHAP resolution
Index(es):
- Date
- Thread

Home

Last updated: Thu May 09 12:18:45 2002
10023 messages in chronological order