|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI Ping and DoSGlen I will make an honest attempt. I see your point. Thanks, Julo Glen Turner <"glen.turner+ips"@aarnet.edu.au> on 24/10/2000 07:18:12 Please respond to Glen Turner <"glen.turner+ips"@aarnet.edu.au> To: satran@haifa.vnet.ibm.com cc: Subject: iSCSI Ping and DoS draft-satran-iscsi-01.txt in section 3.15 deals with Ping and section 3.16 deals with Ping Response. The wording between the sections is inconsistent: > When a target receives the Ping Command, it should respondd > with a Ping Response, duplicating as much of the data as > possible that was provided in the Ping Command (if such > data was present). and > When a target receives the Ping Command, it should respond with a > Ping Response, duplicating the data and Initiator Task Tag that was > provided in the Ping Command, if present. Because unauthenticated connections are desirable, the amount of data reflected in a Ping Response should be left under the control of the server. This allows a public server to always respond with zero Ping Response data, preventing that servers' participation in a vectored denial of service attack. I suggest a wording of When a target receives a a Ping Command it MUST respond with a Ping Response. The response SHOULD duplicate as much of the data provided by the Ping Command as possible. The target MUST provide a configurable upper limit to the amount of data sent in a Ping Response. This upper limit MAY vary depending upon session attributes, such as the authentication mechanism. The default upper limit SHOULD be large. The intent of limiting the size of the Ping Response is to prevent public iSCSI targets from sending large Ping Response packets in response to a Ping Command with a forged source IP address and correct TCP attributes. -- Glen Turner Network Engineer (08) 8303 3936 Australian Academic and Research Network glen.turner@aarnet.edu.au http://www.aarnet.edu.au/ -- The revolution will not be televised, it will be digitised
Home Last updated: Tue Jul 16 14:18:57 2002 11339 messages in chronological order |