|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] iSCSI Auth MIB - resolution and next stepsAbout a week ago I sent out email that said: AD and Expert Review of the User Identity Authentication MIB for iSCSI, draft-ietf-ips-auth-mib-04.txt, has turned up some serious security issues with the following two MIB objects: - ipsAuthCredChapPassword - ipsAuthCredSrpPassword Since then, it has also become clear that there are design problems with both objects. The first one is mis-named and lacks a description of the required strength of the CHAP secret. The second one has a more serious problem - it is not consistent with the SRP architectural structure in RFC 2945, as the MIB objects should be the verifier and salt to avoid having to send the password "in the clear" (with respect to the MIB). On the list, I have seen a note that a normative reference to about-to-be-approved (and hence not widely deployed) SNMP functionality could provide adequate security for these objects, but no indications (strong or otherwise) that this functionality (set CHAP secrets, SRP verifiers and salts) is important to have in this MIB. I therefore believe that the rough consensus of the IPS WG is that the above two objects are not essential to the functionality of this MIB. The best course of action at this juncture is to delete the above two objects from the MIB - the MIB authors are hereby instructed to prepare a revised version of the MIB that deletes the objects, removes the word "Authentication" from the title of the Internet-Draft, and revises the descriptive text to indicate that this MIB manages the user identity aspects of authorization and/or access control - authentication management (e.g., set and/or change authentication secrets) is done via other means. If at some point, authentication secret management functionality becomes important, the MIB can be revised and extended. Thanks, --David ---------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 176 South St., Hopkinton, MA 01748 +1 (508) 293-7953 FAX: +1 (508) 293-7786 black_david@emc.com Mobile: +1 (978) 394-7754 ----------------------------------------------------
Home Last updated: Thu Jul 10 08:19:38 2003 12686 messages in chronological order |