RE: iSCSI Inband authentication (SRP/CHAP) - proposed resolution

To: BIRAN@il.ibm.com
Subject: RE: iSCSI Inband authentication (SRP/CHAP) - proposed resolution
From: Black_David@emc.com
Date: Wed, 22 May 2002 16:28:55 -0400
Cc: ips@ece.cmu.edu
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

Responding to Ofer's concerns, let me know if I get any of the
paraphrasing wrong.

[Ofer Biran 1]: Since requirements for what to do when secrets
	weaker than 96 bits of randomness are used, is the SHOULD for
	96+ bits of necessary?

Good question.  It'll help when an external RADIUS server is used
to verify CHAP authentication.  It also scopes the "MUST use
ESP" requirement to apply only when the SHOULD is ignored.

[Ofer Biran 2]: Mutual authentication is being introduced as a
	SHOULD requirement very late in the process.  The requirement
	should be removed; mutual authentication should remain OPTIONAL.

I believer Ofer is correct about this.  I believe the important aspect
is to be sure to include Paul Koning's example and associated text
about how to prevent reflection attacks on CHAP if/when it used for
mutual authentication.  In the absence of strong interest in imposing
this requirement, I think we should return to the previous situation.

Thanks,
--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
black_david@emc.com         Cell: +1 (978) 394-7754
---------------------------------------------------

Prev by Date: RE: MaxRecvPDULength question
Next by Date: RE: iSCSI Inband authentication (SRP/CHAP) - proposed resolution
Prev by thread: Re: iSCSI Inband authentication (SRP/CHAP) - proposed resolution
Next by thread: RE: iSCSI Inband authentication (SRP/CHAP) - proposed resolution
Index(es):
- Date
- Thread

Home

Last updated: Wed May 22 17:18:35 2002
10216 messages in chronological order