RE: iSCSI:SRP

To: "'Black_David@emc.com'" <Black_David@emc.com>
Subject: RE: iSCSI:SRP
From: "Merhar, Milan" <mmerhar@pirus.com>
Date: Thu, 4 Apr 2002 15:36:47 -0500
Cc: ips@ece.cmu.edu
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

David,

Interesting issue.  In practice, many sites with substantial 
RADIUS authentication needs (e.g. diaup POPs, etc) rely on 
a separate, isolated network for authentication traffic, 
network management via SNMP, etc to avoid concerns such 
as you mention, as well as avoiding DoS attacks 
from the outside directed at the RADIUS infrastructure.

Alternatives that can provide comparable security in a flat, 
open network environment are desirable, so it seems
that some wording is needed to describe this risk and offer 
other solutions, which might include using IPsec to the RADIUS
server, or applying IP filtering in your network infrastructure 
to prevent unwanted propagation of RADIUS messages.  
On the other hand, a fix involving replacing or upgrading 
the RADIUS infrastructure has a pretty high barrier to 
deployment, and should be avoided if possible.

- milan

> -----Original Message-----
> From: Black_David@emc.com [mailto:Black_David@emc.com]
> Sent: Thursday, April 04, 2002 2:44 PM
> 
>  *snip*
> 
> In the hopes of getting this back onto a more productive path, let
> me toss in a technical issue.  DH-CHAP will be compatible 
> with existing RADIUS servers (same signature format, and the recipient of 
> the response can compute the challenge was that the sender should have
signed), BUT
> ... there's a problematic security issue.  Existing RADIUS servers
> want the challenge and response sent to them, over connections that
> usually aren't encrypted.  If the DH-CHAP response and computed
> challenge are sent over such a connection, a passive eavesdropper on
> that connection gains the material to mount a dictionary attack as
> if she'd monitored a CHAP exchange (i.e., sending the DH-CHAP results
> to RADIUS in the clear may negate the DH advantages).  This would be
> a major drawback to using DH-CHAP with existing RADIUS (and the like)
> servers if one can generally expect an eavesdropper on the IP Storage
> connection to also be able to eavesdrop on the connection to the
> RADIUS server - do people think that is likely to be or not be the
> case in general, and why?
> 
>

Prev by Date: Re: iSCSI: SRP vs DH-CHAP
Next by Date: RE: IPSEC target and transport mode
Prev by thread: RE: iSCSI:SRP
Next by thread: RE: iSCSI:SRP
Index(es):
- Date
- Thread

Home

Last updated: Thu Apr 04 19:18:20 2002
9515 messages in chronological order