On Sep 12, 2012, at 11:30 AM, Andy Grover wrote:
> Hi Mike and everyone,
>
> CHAP is a weak authentication method, and all traffic is sent
> unencrypted (unless using IPSec).
>
> Do people use CHAP? Or does its weakness not matter because it's just
> used to ensure the wrong initiator doesn't accidentally connect to a target?
>
> Does anyone use IPSec?
>
> In the absence of IPSec should we at least be advocating full-volume
> encryption on luns?
>
> Thanks -- Andy
Andy,
I disagree with your blanket assertion that CHAP is a weak authentication
method. It's strong if the password is a random string, or otherwise strong
enough to resist searching attacks. Note that the iSCSI standard requires the
use of distinct CHAP secrets for the two directions, if mutual authentication
is used, so the reflection attack that classic CHAP suffers from does not apply
in iSCSI and cannot work there.
Yes, the traffic is sent in the clear after that. Any protocol that doesn't
encrypt the data phase is exposed to eavesdropping and connection hijacking.
When you make security decisions about distributed systems, you have to
consider the set of possible attacks and decide which ones you need to protect
against, and which ones you choose to leave not covered.
CHAP protects against impersonation. It's not just for accidental
misconnection, it also handles intentional misconnection, provided that the
attacker is not able to perform connection hijacking.
Yes, some iSCSI implementations support IPsec. It remains to be seen whether
anyone actually turns it on.
Data at rest encryption is a completely different service that covers a
completely different set of attacks. If you mean volume encryption done at the
initiator, it protects against eavesdropping but not against data modification;
for that you need mechanisms that keep the wrong initiators from connecting, as
CHAP does.
paul
--
You received this message because you are subscribed to the Google Groups
"open-iscsi" group.
To post to this group, send email to open-iscsi@googlegroups.com.
To unsubscribe from this group, send email to
open-iscsi+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/open-iscsi?hl=en.
