SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: Document Action: iSCSI Requirements and Design Considerationsto Informational



    On Fri, 26 Apr 2002, David Jablon wrote:
    
    > Regarding the security requirements in
    > <http://www.ietf.org/internet-drafts/draft-ietf-ips-iscsi-reqmts-06.txt> ...
    >
    > Section 6.2 draws a curious and potentially dangerous distinction between
    > active and passive attacks.  It states that the authentication protocol MUST
    > be resilient to passive attacks, implying that the protocol MAY permit
    > active attacks.
    >
    > This is generally not a acceptable practice in security or cryptographic
    > protocol design.  Generally speaking, on IP networks, someone who
    > can read packets can also send packets.
    
    True, but there is a big difference between passive attacks and the "I can
    send a few packets" attacks; the "I can send a few packets" attacks won't
    (as commonly described) be able to sustain a full session, and thus there
    will be logable activity (target shutdown before I authenticated it, for
    instance). Passive attacks are not detectable by either the target or
    initiator. Put another way, we can't notice passive attacks, while we can
    notice active ones(*).
    
    (*) We probably wouldn't be able to notice REALLY GOOD active attacks, but
    I don't think we'll ever be able to protect against REALLY GOOD active
    attacks; whatever protection we do, an attacker just has to try harder.
    
    Also, on the switched networks that iSCSI is going to use, if you're on a
    different port, you have to flood the switch to be able to see (and thus
    send) packets. So not many folks will be able to pull of either type of
    attack easily.
    
    > A simple fix is to remove the distinction in 6.2 between active and
    > passive attacks, as in:
    >
    >         "6.2 ...  The iSCSI authenticated login MUST be resilient against
    >         attacks.  ..."
    
    I object. In Minneapolis, when we were talking about SRP and CHAP, the
    objections to CHAP that were expressed were (very correctly) that it was
    open to passive attacks. Active attacks were not mentioned, even though
    DH-CHAP was described as not being resistant to them. David and others
    went out and worked on DH-CHAP given that set of objections. To make this
    change now strikes me as unfair.
    
    > If one chooses to discriminate in this document between active and
    > passive attacks, going against common wisdom, I would think that
    > one *must* justify within the document exactly what distinction is
    > being made and why.
    >
    > I think that the IPS WG discussed valid reasons why one might want
    > to protect the authentication packets to a higher degree than session
    > data packets.  On the other hand, I heard no particularly good reason
    > why active attacks would be categorically impossible in the common
    > settings where passive attacks would be possible.
    
    I don't think it's that active attacks are impossible, it's that they
    won't go unnoticed. Passive ones will.
    
    Also, if we're concerned about active attacks, why not turn on IPsec.
    That's its job. :-) AH (or ESP with null encryption) in transport mode
    won't add much overhead, and will totally shut down active attacks. :-)
    
    Take care,
    
    Bill
    
    


Home

Last updated: Mon Apr 29 16:18:23 2002
9850 messages in chronological order