RE: iSCSI:SRP

To: Bill Studenmund <wrstuden@wasabisystems.com>
Subject: RE: iSCSI:SRP
From: David Jablon <dpj@theworld.com>
Date: Thu, 04 Apr 2002 17:04:03 -0500
Cc: <ips@ece.cmu.edu>
Content-Type: text/plain; charset="us-ascii"
In-Reply-To: <Pine.NEB.4.33.0204031601430.320-100000@candlekeep.home-net.internetconnect.net>
References: <15531.25916.533000.602376@gargle.gargle.HOWL>
Sender: owner-ips@ece.cmu.edu

At 04:14 PM 4/3/02 -0800, Bill Studenmund wote:
>While I gather it wasn't always so, IPsec is now the primary form of
>security for iSCSI connections. Whatever login method is chosen, it will
>(should) be happening in an ESP-protected channel. ESP will be set up
>before iSCSI login. ...

For what it's worth, I think people have already argued against that point.

>... That limits who can perform the attacks CHAP is
>vulnerable to to persons with some level of trust on the involved
>machines. If someone can snoop clear text which is usually protected by
>ESP (i.e. they are root on an endpoint), then what method we choose
>doesn't really matter; the attacker could just snoop the process's memory
>and find the clear text password used for the authentication.

That point of the relative benefit of SRP in conjunction with IPsec
may be true in some cases, but not others.
One might choose to use an authentication server that, say, provides
stronger containment of password data.  When used in conjunction with
a strong protocol, other nodes don't get that snoop or snoop-and-crack
capability.

-- David

Follow-Ups:
- Re: iSCSI:SRP
  - From: Bill Strahm <bill@strahm.net>

References:
- RE: iSCSI:SRP
  - From: Paul Koning <ni1d@arrl.net>
- RE: iSCSI:SRP
  - From: Bill Studenmund <wrstuden@wasabisystems.com>

Prev by Date: iSCSI: Last Call process
Next by Date: Re: iSCSI: SRP vs DH-CHAP
Prev by thread: RE: iSCSI:SRP
Next by thread: Re: iSCSI:SRP
Index(es):
- Date
- Thread

Home

Last updated: Thu Apr 04 14:18:20 2002
9498 messages in chronological order