Re: iSCSI Ping and DoS

To: Glen Turner <"glen.turner+ips"@aarnet.edu.au>
Subject: Re: iSCSI Ping and DoS
From: julian_satran@il.ibm.com
Date: Tue, 24 Oct 2000 12:17:56 +0300
cc: ips@ece.cmu.edu
Content-Disposition: inline
Content-type: text/plain; charset=us-ascii
Sender: owner-ips@ece.cmu.edu



Glen

I will make an honest attempt. I see your point.

Thanks,
Julo

Glen Turner <"glen.turner+ips"@aarnet.edu.au> on 24/10/2000 07:18:12

Please respond to Glen Turner <"glen.turner+ips"@aarnet.edu.au>

To:   satran@haifa.vnet.ibm.com
cc:
Subject:  iSCSI Ping and DoS




draft-satran-iscsi-01.txt in section 3.15 deals with
Ping and section 3.16 deals with Ping Response.

The wording between the sections is inconsistent:

> When a target receives the Ping Command, it should respondd
> with a Ping Response, duplicating as much of the data as
> possible that was provided in the Ping Command (if such
> data was present).

and

> When a target receives the Ping Command, it should respond with a
> Ping Response, duplicating the data and Initiator Task Tag that was
> provided in the Ping Command, if present.

Because unauthenticated connections are desirable, the amount
of data reflected in a Ping Response should be left under the
control of the server.  This allows a public server to always
respond with zero Ping Response data, preventing that servers'
participation in a vectored denial of service attack.

I suggest a wording of

 When a target receives a a Ping Command it MUST respond with
 a Ping Response.  The response SHOULD duplicate as much of the
 data provided by the Ping Command as possible.  The target MUST
 provide a configurable upper limit to the amount of data sent in
 a Ping Response.  This upper limit MAY vary depending upon session
 attributes, such as the authentication mechanism.  The default
 upper limit SHOULD be large.

 The intent of limiting the size of the Ping Response is to
 prevent public iSCSI targets from sending large Ping Response
 packets in response to a Ping Command with a forged source IP
 address and correct TCP attributes.

--
 Glen Turner                                 Network Engineer
 (08) 8303 3936      Australian Academic and Research Network
 glen.turner@aarnet.edu.au          http://www.aarnet.edu.au/
--
 The revolution will not be televised, it will be digitised

Prev by Date: RE: iSCSI: more on StatRN
Next by Date: RE: iSCSI: more on StatRN
Prev by thread: remove
Next by thread: iSCSI: error recovery
Index(es):
- Date
- Thread

Home

Last updated: Tue Jul 16 14:18:57 2002
11339 messages in chronological order