RE: FCIP: NAPTs Solution Proposal (issue from Irvine, CA Interim meeting)

To: ENDL_TX@computer.org, ips@ece.cmu.edu
Subject: RE: FCIP: NAPTs Solution Proposal (issue from Irvine, CA Interim meeting)
From: Black_David@emc.com
Date: Fri, 9 Nov 2001 17:48:22 -0500
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

> Those who were at the Irvine Interim meeting will remember that
> the problem with FCIP and NAPTS is a reliance on IP address in
> the determination of which incoming TCP connections belong in a
> given FCIP Link. This proposal solves that problem by requiring
> that FC Entity World Wide Name be transmitted in the first bytes
> sent by the FCIP Entity that initiates a TCP Connect request.
> This allows the FCIP Entity that receives a TCP Connect request
> to match it with any previously received TCP Connect requests
> from the same source. Since the transmitted World Wide Name is
> required to be unique within Fibre Channel, the FCIP Entity
> that receives this information can correctly assign FCIP Link
> relationships without relying on IP Addresses.

From a functional standpoint, this works, but it opens up a security
issue.  The problem is that on the second TCP connection (and subsequent
connections) that claim to be from the same FCIP Entity, the WWN that
is initially sent (and whatever extension is used) is functioning
as an authentication to allow that connection to join the first
TCP connection, but that authentication is unsecured -- the sender
announces the WWN, and the receiver does not (and has no way to)
check it.

There's a fairly obvious denial of service attack here involving
the attacker joining a new connection to an existing one
and then bit-bucketing all the frames sent over the new connection.

Limiting FCIP to one TCP connection among any pair of FCIP entity
identifiers would help, but is not sufficient.  The attack of concern
in this situation involves the attacker crashing the real entity
and opening up a connection in its name, thereby locking out the
real entity when the real entity restarts.

This may be headed in the direction of needing in-band authentication
which I know the FCIP community has been doing their best to avoid.

Sorry to be the bearer of bad news,
--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------

Prev by Date: RE: iSCSI over TLS
Next by Date: RE: iSCSI: update on OOO CmdSNs/connection
Prev by thread: RE: FCIP: NAPTs Solution Proposal (issue from Irvine, CA Interim meeting)
Next by thread: RE: FCIP: NAPTs Solution Proposal (issue from Irvine, CA Interim meeting)
Index(es):
- Date
- Thread

Home

Last updated: Fri Nov 09 20:17:38 2001
7719 messages in chronological order