|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: FCIP Last Call, comment 55 - Special FrameRegarding: > Comment 55: I agree that there's no technical problem here, but > would like to see an editorial change to avoid the "SHALL wait > indefinitely" language that bothers me. I suggest changing: > > The FCIP Entity SHALL wait indefinitely for the FC Entity to > authenticate source of the TCP connect request and SHALL not > use the new TCP Connection for any purpose until the FC Entity > completes the authentication. > > to: > > The FCIP Entity SHALL not use the new TCP Connection for > any purpose until the FC Entity authenticates the source > of the TCP connect request. This change is acceptable to me. Unless objections are heard it will appear as the resolution for Comment 55 in the next revision of the I-D. Thanks. .Ralph Black_David@emc.com wrote: > I'm not satisfied with the proposed resolution of these comments. > They're reproduced below, and my concerns are: > > Comments 52 and 53: There needs to be some guidance given for how > the FCIP entity is supposed to choose among the alternatives. > I think this may be as simple as one sentence in each case > pointing to the new text on use of the Short Frame as > "as a poor-man's SLP", as whether to change the information > to be returned seems to be the crucial decision facing an > implementer. > > Comment 55: I agree that there's no technical problem here, but > would like to see an editorial change to avoid the "SHALL wait > indefinitely" language that bothers me. I suggest changing: > > The FCIP Entity SHALL wait indefinitely for the FC Entity to > authenticate source of the TCP connect request and SHALL not > use the new TCP Connection for any purpose until the FC Entity > completes the authentication. > > to: > > The FCIP Entity SHALL not use the new TCP Connection for > any purpose until the FC Entity authenticates the source > of the TCP connect request. > > Comment 109: The proposed resolution says: > > The SF is protected by requiring that the echoed data field values > exactly match those sent. This is an end-to-end-to-end check that > is more certain than even a CRC. > > Unfortunately, comments 52 and 53 call out text that allows those > fields to be changed. This needs some more thought/explanation, > and this issue needs to be considered open for now. > > Thanks, > --David > > --- Comments 52, 53, 55, and 109 ----- > > Comment 52 Technical > > -- Section 9.1.3 - Processing Incoming TCP Connect Requests > > If the Destination FC Fabric Entity World Wide Name contains 0, > the FCIP Entity SHALL take one of the following three actions: > > 1) Leave the Destination FC Fabric Entity World Wide Name field > and Ch bit both 0; > 2) Change the Destination FC Fabric Entity World Wide Name field > to match FC Fabric Entity World Wide Name associated with the > FCIP Entity that received the TCP connect request and change > the Ch bit to 1; or > 3) Close the TCP Connection without sending any response. > > The choice between the above actions depends on the anticipated > usage of the FCIP Entity and is outside the scope of this > specification. The FCIP Entity may consult the "shared" database > when choosing between the above actions. > > [T] I'm not buying the "outside the scope" disclaimer. Some more > description of why the three choices are available is in order even > if the normative criteria for choosing among them are specified in > FC-BB-2. If my assumption about FC-BB-2 is correct, the last > sentence is almost certainly too weak - it needs to refer to > consulting the FC Entity to determine what to do. > > Accepted but not as the comment intended > > Delete "... and is outside the scope of this specification" > > Other actions to be taken > > Note: Some non SLP implementations wish to use the SF as a > configuration determination mechanism. The choice exists to allow > that option. > > Describe this in the new section added in response to comment 44. > > Comment 53 Technical > > -- Section 9.1.3 - Processing Incoming TCP Connect Requests > > If: > a) The Destination FC Fabric Entity World Wide Name contains a > non-zero value that does not match the FC Fabric Entity World > Wide Name associated with the FCIP Entity that received the TCP > connect request, or > b) The contents of the Connection Usage Flags, and Connection > Usage Code fields is not acceptable to the FCIP Entity that > received the TCP connect request, > then the FCIP Entity SHALL take one of the following two actions: > 1) Change the contents of the unacceptable fields to correct/ > acceptable values and set the Ch bit to 1; or > 2) Close the TCP Connection without sending any response. > > [T] 1) looks like a security hole that discloses information an > attacker may find useful in establishing an undesired connection to > FCIP. > What's the motivation/purpose for this? > > No changes made > > The motivation is to allow the SF to be used as a poor-man's SLP. > > Option 1) is a security policy that is not a security hole because > either IPsec or option 2) or both are available as security policy > choices. > > Comment 55 Technical > > -- Section 9.1.3 - Processing Incoming TCP Connect Requests > > The FCIP Entity SHALL wait indefinitely for the FC Entity to > authenticate source of the TCP connect request and SHALL not > use the new TCP Connection for any purpose until the FC Entity > completes the authentication. > > [T] "wait indefinitely" creates an obvious denial of service attack > vulnerability. Try again. > > Rejected > > The potential for a denial of service attack exists only if the > attacker can affect the interface between the FCIP Entity and the > FC Entity. Since the interface between these two exists only inside > an FCIP-FC implementation, the opportunities for such an attack > are reasonably beyond the bounds of such concerns. > > If the FCIP Entity and FC Entity were specified in a single > standard, the wording would be "Do A, B, and C." There would be > no interface point at which a wait could exist and the issue > would either be handled implicitly (probably with R_A_TOV) or > ignored entirely. > > Comment 109 Technical > > > 6.6.1 FCIP Encapsulation of FC Frames > .... > > The CRCV (CRC Valid) Flag SHALL be set to 0. > > > > The CRC field SHALL be set to 0. > > I am surprised that the FCIP encapsulated header is never protected > by a CRC. The error detection section clearly acknowledges the > possibility that TCP checksum could be inadequate for certain > deployments - and even suggests checking the FC frame CRC (sort > of like a data digest) on reception at the Encapsulated Frame > Receiver Portal. > > My recommendation is to require an FCIP Entity to employ the header > CRC if the SF that it receives asks for CRC - IOW, similar to iSCSI's > approach. So, I guess I am also advocating a new bit in the pFlags > field to announce this. When this CRC expectation is announced, the > FC CRC checking test in 6.6.2.2 should also be a mandatory test - > from the "semi-optional" list it is currently in. > > Rejected > > The SF is protected by requiring that the echoed data field values > exactly match those sent. This is an end-to-end-to-end check that > is more certain than even a CRC. > > --------------------------------------------------- > David L. Black, Senior Technologist > EMC Corporation, 42 South St., Hopkinton, MA 01748 > +1 (508) 249-6449 *NEW* FAX: +1 (508) 497-8500 > black_david@emc.com Cell: +1 (978) 394-7754 > ---------------------------------------------------
Home Last updated: Sun Apr 21 23:18:50 2002 9738 messages in chronological order |