Re: iSCSI:SRP

[Bill Studenmund <wrstuden@wasabisystems.com>]

On Fri, 5 Apr 2002, Bernard Aboba wrote:

> >I would be very comfortable saying just do CHAP over an encrypted >link, so
> >you don't have the vulnerabilities of CHAP because the link >is protected
> >by a must implement IPsec layer...
>
> The problem is that IPsec is *must implement* not *must use*. Therefore an
> iSCSI authentication mechanism needs to be secure even when IPsec is not
> turned on.

I disagree with the premise I perceive underlying your assumption (if the
premise isn't there, I apologize :-). I agree that it is important that
we have secure methods for authentication. I disagree that means we HAVE
to use SRP (a la MUST & friends).

Even if we just chose CHAP as the minimum authentication, we have a fairly
strong authentication option in the minimum-interpoerability aspect of the
spec (IPsec + CHAP). Each end will be required to support it. Yes, as you
point out above, an administrator might choose not to use it. Is that our
problem? Our concern, yes, but isn't that fundamentally the admin's
problem? s/he turned IPsec off, after all (for each end to follow the
spec, it had to have been there as an option to turn off).

I agree that it would be good to have alternatives, and I am happy for SRP
to be one of them. But as long as we have options that the admin can turn
on and off (like as long as CHAP is an option at all), an admin can get
into an unsafe (insecure) operating mode. We will need to tell admins,
"these settings are unsafe, don't use them w/o knowing what you're doing."
Regardless of whether or not SRP is the primary authentication method.

So I don't see how making SRP the primary authentication method helps any.

Take care,

Bill