Chap vs ipsec – Dell PowerVault DP500 User Manual

iSCSI Connections Using Challenge-Handshake Authentication Protocol

31

Configuring Secured iSCSI
Connections Using
Challenge-Handshake
Authentication Protocol

Few security features for the iSCSI protocol are included in the iSCSI layer
itself, apart from any security layers that may be present in the lower TCP/IP
and Ethernet layers. You can enable and disable the iSCSI security features as
required.

The Microsoft

®

iSCSI Initiator uses the Challenge-Handshake

Authentication Protocol (CHAP) to verify the identity of iSCSI host systems
attempting to access iSCSI Targets. The iSCSI Initiator and iSCSI Target
use CHAP and share a predefined secret. The Initiator combines the secret
with other information into a value and calculates a one-way hash using the
Message Digest 5 (MD5) function. The hash value is transmitted to the
Target. The Target computes a one-way hash of its shared secret and other
information. If the hash values match, the Initiator is authenticated. The
other security information includes an ID value that is increased with each
CHAP dialog to protect against replay attacks. The Dell™ PowerVault™ NF500
and NF600 storage solutions also support Mutual CHAP.

CHAP is generally regarded as more secure than Password Authentication
Protocol (PAP). Fore more information regarding CHAP and PAP, see the
RFC 1334 website at http://rfc.arogo.net/rfc1334.html.

CHAP vs IPSec

CHAP authenticates the peer of a connection and is based upon the peers
sharing a secret (a security key that is similar to a password). IP Security
(IPSec) is a protocol that enforces authentication and data encryption at the
IP packet layer and provides an additional level of security.