Re: FCIP iFCP encapsulation proposal

[Stephen Bailey <steph@cs.uchicago.edu>]

> It is NOT just these fields looking like a valid frame; they MUST
> match the saved information inside a valid Exchange Control Block
> (ECB) refer to by the OX_ID and RX_ID.

Not if the frame begins a new exchange.  Instead of concentrating on
FCP_DATA, and the read (target->initiator) direction, look at other FC
PDUs and the write direction (initiator->target).

A single frame could be an FCP_CMD with a SCSI command, (e.g.  RESERVE
or START STOP UNIT with LOEJ=1), or a task management function
(e.g. target reset) or an FC link service (e.g. LOGO).  I'm sure there
are more clever attacks too.

The only thing you need to know is the FC IDs of a logged-in
target/initiator pair which share the TCP connection you're using.
Certainly, the easiest pair would be the attacking system's FC_ID and
the target from which you are launching the attack (i.e. the target to
which you are directing the stream of write data).  However, if you
know other logged-in FC_ID pairs, you can also do a 3rd party attack.

It is not the case that FC_IDs are going to be well kept secrets which
will require a 'til the sun grows cold parameter search.

Steph