RE: iSCSI Inband authentication (SRP/CHAP) - proposed resolution

To: Black_David@emc.com
Subject: RE: iSCSI Inband authentication (SRP/CHAP) - proposed resolution
From: "John Hufferd" <hufferd@us.ibm.com>
Date: Wed, 22 May 2002 17:28:34 -0700
Cc: ips@ece.cmu.edu
Content-type: text/plain; charset=us-ascii
Importance: Normal
Sender: owner-ips@ece.cmu.edu


David,
Do you also mean that we can tell if a group preshared key was used?  How
do we do that?

.
.
.
John L. Hufferd
Senior Technical Staff Member (STSM)
IBM/SSG San Jose Ca
Main Office (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
Home Office (408) 997-6136, Cell: (408) 499-9702
Internet address: hufferd@us.ibm.com


Black_David@emc.com@ece.cmu.edu on 05/22/2002 02:06:37 PM

Sent by:    owner-ips@ece.cmu.edu


To:    John Hufferd/San Jose/IBM@IBMUS
cc:    ips@ece.cmu.edu
Subject:    RE: iSCSI Inband authentication (SRP/CHAP) - proposed
       resolution



John,

> The problem I am having with the proposal is, that I think we are
mandating
> customer actions not just implementation.

To some extent, this is unavoidable, and we're already there
implicitly, as use of a low-entropy pre-shared key with IKE will
doubtless make IKE vulnerable in all sorts of undesirable ways.
For that matter, even SRP is only secure if the customer uses
it correctly (e.g., if Alice doesn't keep her password secret,
and Bob knows it, SRP will not protect Alice from Bob).

> We are saying that if Chap passwords are used then they must
> do or must not do something else which is legal with IPsec.
>
> Since the IPsec process is really disjoint from the iSCSI Login, there is
> no real way that we can tell what the customer did with IPsec, and IKE.

I don't think so.  One can expect an IPsec implementation to
report the security policy and mechanisms (contents of the SPD,
and probably the SAD) that it is currently enforcing through
a suitably secured management interface.  How to get access to
and use that interface would be up to the implementer combining
IPsec and iSCSI.

> So some how I think the wordage needs to be adjusted to reflect this
> implementation vrs customer interaction, since I think the only thing we
> can do is document on the packaging/directions, what should or should not
> be done.

Please propose new wording.

Thanks,
--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
black_david@emc.com         Cell: +1 (978) 394-7754
---------------------------------------------------

Prev by Date: RE: iSCSI: No-renegotiation rule inadequately described
Next by Date: RE: iSCSI: No-renegotiation rule inadequately described
Prev by thread: RE: iSCSI Inband authentication (SRP/CHAP) - proposed resolution
Next by thread: RE: iSCSI Inband authentication (SRP/CHAP) - proposed resolution
Index(es):
- Date
- Thread

Home

Last updated: Thu May 23 11:18:35 2002
10240 messages in chronological order