RE: iSCSI:SRP

To: Paul Koning <ni1d@arrl.net>
Subject: RE: iSCSI:SRP
From: Bill Studenmund <wrstuden@wasabisystems.com>
Date: Wed, 3 Apr 2002 16:14:03 -0800 (PST)
Cc: <Black_David@emc.com>, <ips@ece.cmu.edu>
Content-Type: TEXT/PLAIN; charset=US-ASCII
In-Reply-To: <15531.25916.533000.602376@gargle.gargle.HOWL>
Sender: owner-ips@ece.cmu.edu

On Wed, 3 Apr 2002, Paul Koning wrote:

> Excerpt of message (sent 3 April 2002) by Black_David@emc.com:
> > > They asked us to "consider" DH+Chap but it was not a hard requirement, you
> > > told us that they would accept Chap, but wanted us to consider a way to
> > > make it more secure.  I think the work that has been done, is clearly
> > > considering it, and with the combination of SRP and current Chap clearly
> > > meets requirements.
>
> Wasn't that "consider DH+CHAP" in the context of the possible need to
> drop SRP down to optional and make CHAP mandatory?

Yes, but that need hasn't gone away.

> > That work is not complete.  There are at least two technical explanations
> > missing that have to go into the iSCSI specification in order to
> > pursue this course of action:
> >
> > (1) Why is CHAP by itself not sufficient?
> > (2) Why is SRP preferable to DH-CHAP?
> >
> > The second one is crucial as it is the justification to the IESG that
> > technology potentially subject to patents needs to be used in preference
> > to unencumbered technology.
>
> I thought the answers to both are obvious already.
>
> 1. CHAP is vulnerable to certain attacks that SRP does not suffer
>    from, and is one-way.

Are these concerns strong enough to warrant using patented technologies?

While I gather it wasn't always so, IPsec is now the primary form of
security for iSCSI connections. Whatever login method is chosen, it will
(should) be happening in an ESP-protected channel. ESP will be set up
before iSCSI login. That limits who can perform the attacks CHAP is
vulnerable to to persons with some level of trust on the involved
machines. If someone can snoop clear text which is usually protected by
ESP (i.e. they are root on an endpoint), then what method we choose
doesn't really matter; the attacker could just snoop the process's memory
and find the clear text password used for the authentication.

> 2. DH-CHAP had not been specified yet, while SRP is a published RFC.
>
> Why isn't (2) sufficient?  Surely, when we're trying to go through the
> RFC publication process, we can't be expected to consider a proposal
> that is not yet at the "draft 00" stage as a prime contender, can we?
> Otherwise no one could ever finish.

The concerns over SRP involve IPR, which is a seperate question from being
an RFC.

> Is there any consensus that iSCSI Last Call should wait for DH-CHAP
> Last Call?

Yes.

Take care,

Bill

Follow-Ups:
- RE: iSCSI:SRP
  - From: David Jablon <dpj@theworld.com>
- RE: iSCSI:SRP
  - From: Paul Koning <ni1d@arrl.net>

References:
- RE: iSCSI:SRP
  - From: Paul Koning <ni1d@arrl.net>

Prev by Date: RE: iSCSI: SRP vs DH-CHAP
Next by Date: RE: iSCSI:SRP
Prev by thread: RE: iSCSI:SRP
Next by thread: RE: iSCSI:SRP
Index(es):
- Date
- Thread

Home

Last updated: Thu Apr 04 12:18:18 2002
9490 messages in chronological order