SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI-12-95



    How about the following text:
    
           If CHAP is used with a secret that has less than 96 random bits then
           IPsec encryption (according to the implementation requirements in
           Section 7.3.2 Confidentiality) MUST be used to protect the
           connec-tion. Moreover, in this case IKE authentication with group
           pre-shared keys MUST NOT be used unless it is not essential to
           protect group members against off-line dictionary attacks of other
           members. When CHAP is used with secret shorter than 96 bits, a
           compliant implemen-tation MUST NOT continue with the login unless it
           can verify that IPsec encryption is being used to protect the
           connection.
    
     Julo
    ----- Forwarded by Julian Satran/Haifa/IBM on 06/01/2002 06:41 PM -----
                                                                                                                                          
                          Julian Satran                                                                                                   
                                                   To:      "THALER,PAT (A-Roseville,ex1)" <pat_thaler@agilent.com>                       
                          05/31/2002 07:18         cc:      ips@ece.cmu.edu                                                               
                          AM                       From:    Julian Satran/Haifa/IBM@IBMIL                                                 
                                                   Subject: RE: iSCSI-12-95(Document link: Julian Satran - Mail)                          
                                                                                                                                          
                                                                                                                                          
                                                                                                                                          
                                                                                                                                          
                                                                                                                                          
                                                                                                                                          
    
    
    
    Pat,
    
    Comments in text.
    
    Julo
    
    
                                                                                                                                          
                          "THALER,PAT                                                                                                     
                          (A-Roseville,ex1)        To:       Julian Satran/Haifa/IBM@IBMIL, ips@ece.cmu.edu                               
                          "                        cc:                                                                                    
                          <pat_thaler@agile        Subject:  RE: iSCSI-12-95                                                              
                          nt.com>                                                                                                         
                                                                                                                                          
                          05/31/2002 12:52                                                                                                
                          AM                                                                                                              
                          Please respond to                                                                                               
                          "THALER,PAT                                                                                                     
                          (A-Roseville,ex1)                                                                                               
                          "                                                                                                               
                                                                                                                                          
                                                                                                                                          
    
    
    
    Julian,
    
    I am having two problems with the second MUST in the following paragraph
    from iSCSI-12-95 7.2.1:
    If CHAP is used with a secret that has less than 96 random bits then
    IPsec encryption (according to the implementation requirements in
    Section 7.3.2 Confidentiality) MUST be used to protect the connection.
    Moreover, in this case IKE authentication with group pre-shared
    keys MUST NOT be used. When CHAP is used with secret shorter than 96
    bits, a compliant implementation MUST NOT continue with the login
    unless it can verify that IPsec encryption is being used to protect
    the connection.
    
    Who or what does the requirement apply to? Is the iSCSI implementation
    expected to check whether IKE is using pre-shared keys or is this a
    requirement on the person setting up the security? It isn't clear to
    me that an iSCSI implementation has access to that information.
    
    +++ the requirement about checking length is an implementation requirement
    (if you can't check that you have IPsec then you must fail login). The
    requirement about IKE is for the administrator/manager at least.+++
    
    Secondly, it isn't clear to me why it is required. I'm assuming the
    concern is that a member of a group with preshared keys could use
    an off-line dictionary attack to crack the CHAP secret of another
    member of the group but it seems to me that there are situations
    where this is not a threat. For instance, one could have a group that
    was a host and multiple equally secure disk arrays. If one isn't
    concerned about one of the arrays trying to impersonate another there
    isn't a danger in allowing them to authenticate with CHAP protected
    by IPsec enryption with a group pre-shared key.
    
    Could the MUST be made a SHOULD with a statement that ignoring the
    SHOULD means that one member of the group could crack the CHAP
    secret of another member?
    
    +++ this is a fair assessment of the situation and I think that your
    suggestion makes sense +++
    
    Regards,
    Pat
    
    -----Original Message-----
    From: Julian Satran [mailto:Julian_Satran@il.ibm.com]
    Sent: Wednesday, May 29, 2002 3:02 PM
    To: ips@ece.cmu.edu
    Subject: iSCSI-12-95
    
    
    12-95 is out.
    It has the latest wording on security and text negotiation (including the
    spanning).
    
    Still to go - text fixes in chapter 11.
    
    Julo
    
    
    
    
    
    
    


Home

Last updated: Sat Jun 01 14:18:31 2002
10453 messages in chronological order