RE: FCIP: WWN short frame and IPsec

To: muralir@lightsand.com
Subject: RE: FCIP: WWN short frame and IPsec
From: Black_David@emc.com
Date: Tue, 18 Dec 2001 22:21:42 -0500
Cc: ips@ece.cmu.edu
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

Murali

Sorry for the delay in responding to this.

> Could you please characterize and hence clarify the problem
> with the existing use of WWN to add additional TCP connection.
> I am hearing different views of the problem from different people.
> I would like to get us all on the same page by answering:
> 
> 1) When is this a problem? With IPSec or without ?

It is a problem in both situations, although the nature of the
problem differs.  In the absence of IPsec, there is a direct
exposure to false authentication (the WWN in the short frame
is not checked, and hence any connection from anywhere could
present any WWN).  In the presence of IPsec, there is an exposure
to a device using an IPsec identity that does not match the WWN
presented in the short frame (i.e., Bob announces himself as Bob
to IKE, but then presents Alice's WWN to intercept traffic
to her and/or inject traffic as if it were from her).

> 2) What are the threat assumptions?

I suggest looking at section 2 of the security draft.  The threat
in the absence of IPsec includes a variant of [4] that is much
easier to pull off than hijacking the TCP connection - the
description of [4] in the security draft may need to be expanded
to encompass this.

> Is the rogue device a party that is assumed to be "trusted" ?

I suspect the question is ill-formed.  Classifying the world
into "trusted" and "un-trusted" entities is not a good way
to think about security.  The fundamental threat here is a device
exceeding its authorization by presenting a WWN that it is
not authorized to present and therefore being able to receive
traffic forwarded to or through that WWN and send traffic as
if it came from or through that WWN.

As indicated previously on the list, an assumption that the
WWN must be correct if presented on an IPsec-secured connection
on which the other party has passed IKE authentication is not
good enough - in the absence of other measures, the WWN would
have to be checked against the IKE identity to prevent the
above problem with Bob presenting Alice's WWN.  In other words,
the fact that a connection has passed an IPsec authentication is
not in general sufficient to fully trust it; there are conditions
in which this may be the case, but they depend on local security
policy.

Thanks,
--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000            FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------

Prev by Date: RE: effect of initializing CRC reg to 1's depends on implementati on? iSCSI
Next by Date: RE: sessions and connections
Prev by thread: FCIP: WWN short frame and IPsec
Next by thread: iSCSI v8 CRC32C
Index(es):
- Date
- Thread

Home

Last updated: Tue Dec 18 23:17:44 2001
8142 messages in chronological order