|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI Inband authentication (SRP/CHAP) - proposed resolutionJohn, > The problem I am having with the proposal is, that I think we are mandating > customer actions not just implementation. To some extent, this is unavoidable, and we're already there implicitly, as use of a low-entropy pre-shared key with IKE will doubtless make IKE vulnerable in all sorts of undesirable ways. For that matter, even SRP is only secure if the customer uses it correctly (e.g., if Alice doesn't keep her password secret, and Bob knows it, SRP will not protect Alice from Bob). > We are saying that if Chap passwords are used then they must > do or must not do something else which is legal with IPsec. > > Since the IPsec process is really disjoint from the iSCSI Login, there is > no real way that we can tell what the customer did with IPsec, and IKE. I don't think so. One can expect an IPsec implementation to report the security policy and mechanisms (contents of the SPD, and probably the SAD) that it is currently enforcing through a suitably secured management interface. How to get access to and use that interface would be up to the implementer combining IPsec and iSCSI. > So some how I think the wordage needs to be adjusted to reflect this > implementation vrs customer interaction, since I think the only thing we > can do is document on the packaging/directions, what should or should not > be done. Please propose new wording. Thanks, --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 249-6449 *NEW* FAX: +1 (508) 497-8500 black_david@emc.com Cell: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Wed May 22 19:18:30 2002 10222 messages in chronological order |