SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Security Use Requirements



    > As far as a host-based IPSec implementation is concerned, we could use
    this
    > for the WWUI to identify the initiator and target (I don't think its
    > feasible to have external security gateways use WWUI).  An IKE negotiation
    > between iSCSI devices could thus use the WWUI to set up the IPSec SA's.
    > However, RFC 2407 section 4.6.2.1 (IPSec DOI) indicates the only
    identifiers
    > usable (at least at the time of writing of RFC 2407) are FQDN's, IP
    > addresses or subnets, X500 names, or X509 certificates as the identifier.
    > If iSCSI intends to use WWUI, we would need to coordinate with IANA to add
    > in WWUI as another identifier type.
    
    Or lay out some guidelines for things that SHOULD or MUST be checked to
    make sure that the identity used in IPSec is the correct one for the iSCSI
    initiator or target.  This has some implications for iSNS security as well.
    
    > But I wonder if this is all really necessary???  Isn't it sufficient to
    have
    > the IP addresses identify the SA endpoints?  Isn't this what most ISAKMP
    > implementations are doing?  Is anyone aware of any other application that
    > use something other than IP addresses or FQDN's to negotiate IPSec SA's???
    
    There are definitely people out there using X.509 certificates for this
    purpose.
    The most common certificates bind keys to DNS domains, but the domain in
    the cert need not be the FQDN of the machine using the cert (e.g.,
    www.foo.com
    may consist of a bunch of machines behind a web load balancer, all of
    which present the same certificate to browsers - note that this is actually
    an SSL/TLS example, but the same thing can be done in IPSec).  I don't
    know what else is in common use - Ran or Bernard?
    
    > This leads to the original point I was trying to make at the interim
    > meeting, that for all practical purpposes, IPSec SA's really need only be
    > negotiated between IP addresses.  Once a connection has been secured
    between
    > the IP addresses, then WWUI's are used for authorization in the iSCSI
    login
    > exchange.  Sure, if we really wanted we could go in and include the WWUI
    in
    > the ISAKMP exchange, but I question if this adds any value at all.
    
    If I understand this correctly, Josh is advocating that there be no required
    relationship between the IP addresses used to authenticate IPSec SAs and
    the WWUIs used to authenticate iSCSI login ... allow me to demolish this
    strawman :-) ... I have at least two significant concerns about this
    approach:
    - It opens up a set of attacks based on subverting the mechanism (or
    	lack thereof) used to associate IP addresses with iSCSI targets
    	(and initiators). 	If iSCSI target T is supposed to be behind
    IP address
    	foo, and the adversary can convince initiator I to access T
    	by instead opening up a tunnel-mode IPSec SA to a different
    	IP address bar, the absence of any check between IP address
    	and target identity makes the adversary's job significantly easier.
    	FCIP has a similar issue in its tunnel configuration.
    - It also opens up a set of man-in-the-middle attacks based on the
    	adversary being *between* one of the iSCSI nodes and its IPSec
    	gateway.  Many IPSec gateways are located one or more hops
    	from the endpoints that they protect, and it's not in general
    	correct to assume that the network protected by the gateway
    	is inherently secure.
    Given the choice, I'd much rather lay down a set of rules and guidelines
    for identity checking than resort to running an end to end authentication
    and cryptographic integrity protocol inside an IPSec tunnel.
    
    With my WG co-chair hat on, I want to clarify the above by stating that
    I believe that the WG must consider the two classes of attacks/threats
    that I itemized above, but also that the "Given the choice" sentence
    above is probably not a comprehensive taxonomy of the possible
    countermeasures.
    
    Thanks,
    --David
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    black_david@emc.com       Mobile: +1 (978) 394-7754
    ---------------------------------------------------
    
    


Home

Last updated: Tue Sep 04 01:05:34 2001
6315 messages in chronological order