SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: iSCSI Ping and DoS



    
    
    Glen
    
    I will make an honest attempt. I see your point.
    
    Thanks,
    Julo
    
    Glen Turner <"glen.turner+ips"@aarnet.edu.au> on 24/10/2000 07:18:12
    
    Please respond to Glen Turner <"glen.turner+ips"@aarnet.edu.au>
    
    To:   satran@haifa.vnet.ibm.com
    cc:
    Subject:  iSCSI Ping and DoS
    
    
    
    
    draft-satran-iscsi-01.txt in section 3.15 deals with
    Ping and section 3.16 deals with Ping Response.
    
    The wording between the sections is inconsistent:
    
    > When a target receives the Ping Command, it should respondd
    > with a Ping Response, duplicating as much of the data as
    > possible that was provided in the Ping Command (if such
    > data was present).
    
    and
    
    > When a target receives the Ping Command, it should respond with a
    > Ping Response, duplicating the data and Initiator Task Tag that was
    > provided in the Ping Command, if present.
    
    Because unauthenticated connections are desirable, the amount
    of data reflected in a Ping Response should be left under the
    control of the server.  This allows a public server to always
    respond with zero Ping Response data, preventing that servers'
    participation in a vectored denial of service attack.
    
    I suggest a wording of
    
     When a target receives a a Ping Command it MUST respond with
     a Ping Response.  The response SHOULD duplicate as much of the
     data provided by the Ping Command as possible.  The target MUST
     provide a configurable upper limit to the amount of data sent in
     a Ping Response.  This upper limit MAY vary depending upon session
     attributes, such as the authentication mechanism.  The default
     upper limit SHOULD be large.
    
     The intent of limiting the size of the Ping Response is to
     prevent public iSCSI targets from sending large Ping Response
     packets in response to a Ping Command with a forged source IP
     address and correct TCP attributes.
    
    --
     Glen Turner                                 Network Engineer
     (08) 8303 3936      Australian Academic and Research Network
     glen.turner@aarnet.edu.au          http://www.aarnet.edu.au/
    --
     The revolution will not be televised, it will be digitised
    
    
    
    


Home

Last updated: Tue Jul 16 14:18:57 2002
11339 messages in chronological order