|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: FCIP iFCP encapsulation proposalStephen Bailey > Not if the frame begins a new exchange. Instead of concentrating on > FCP_DATA, and the read (target->initiator) direction, look at other FC > PDUs and the write direction (initiator->target). > > A single frame could be an FCP_CMD with a SCSI command, (e.g. RESERVE > or START STOP UNIT with LOEJ=1), or a task management function > (e.g. target reset) or an FC link service (e.g. LOGO). I'm sure there > are more clever attacks too. > > The only thing you need to know is the FC IDs of a logged-in > target/initiator pair which share the TCP connection you're using. > Certainly, the easiest pair would be the attacking system's FC_ID ... To begin a new exchange in an Internet environment, I do hope we check stuff more than just FC_ID before allowing a START_STOP_UNIT or TARGET_RESET. After a successful login and text message exchanges, both initiator and target keep a Port/Connection Control Block to save all kinds of goodies resulting from the exchanges. The goodies WILL be checked before allowing an operation. If not, there is no security and all the discussions herein are somewhat academic. Furthermore, if the login and text messages are easily stolen, it is a security issue not an operation issue. Y.P.
Home Last updated: Tue Sep 04 01:05:19 2001 6315 messages in chronological order |