RE: FCIP iFCP encapsulation proposal

To: Robert Snively <rsnively@Brocade.COM>, Black_David@emc.com, ips@ece.cmu.edu
Subject: RE: FCIP iFCP encapsulation proposal
From: Douglas Otis <dotis@sanlight.net>
Date: Thu, 15 Mar 2001 13:06:51 -0800
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="iso-8859-1"
Importance: Normal
In-reply-to: <FFD40DB4943CD411876500508BAD02797D4607@sj5-ex2.brocade.com>
Sender: owner-ips@ece.cmu.edu

Bob,

You are assuming that a debug analyzer would store the entire TCP frame.
Perhaps, but just as likely only iFCP payload is stored as the analyzer may
assume TCP does not require debugging and perhaps not seen depending on
where the filter is placed.  Even so, a binary image of an entire Ethernet
frame is not likely to be contained completely within an Ethernet frame as a
storage block.  It is likely to be fragmented.  Even if the definition of a
valid header was extended to include a valid trailer from the previous PDU,
you still will be confronted with the same problem.  A TCP header placed
anywhere before an apparently valid header will not be of any concern to a
header search.

The method of delivery is simply the image is contained within storage
blocks delivered as legitimate payload.  Once synchronization loss due to a
packet drop, the ability to determine payload from headers is removed and
that was the point that David was making.  In other words, it may not even
be a malicious act for this error to occur.

Doug

> -----Original Message-----
> From: Robert Snively [mailto:rsnively@brocade.com]
> Sent: Thursday, March 15, 2001 9:18 AM
> To: 'Douglas Otis'; Robert Snively; Black_David@emc.com; ips@ece.cmu.edu
> Subject: RE: FCIP iFCP encapsulation proposal
>
>
> Doug,
>
> The binary image is of ethernet frames.  It requires the existence
> of a matching TCP/IP connection with matching TCP headers,
> including pdu sequencing information, which is not knowable
> from the spoofer.  How are these delivered?
>
> The same question is true for each of the other layers of the
> transfer, and the same unlikely scenario must be played back
> for each.  I just don't see such data being delivered by
> a responsible software layer.
>
> Bob
>
> >  -----Original Message-----
> >  From: Douglas Otis [mailto:dotis@sanlight.net]
> >  Sent: Wednesday, March 14, 2001 1:15 PM
> >  To: Robert Snively; Black_David@emc.com; ips@ece.cmu.edu
> >  Subject: RE: FCIP iFCP encapsulation proposal
> >
> >
> >  Bob,
> >
> >  With out discussing spoofing where attackers successfully guess TCP
> >  sequences (made too easy in some cases), a binary image is
> >  stored and then
> >  legitimately sent as a payload, with the example being
> >  binary content of a
> >  debug analyzer.  In this case, headers contained within the
> >  payload could be
> >  seen as valid.  The valid header within the payload may fool
> >  a process that
> >  attempts to recover header synchronization following a
> >  dropped packet.  This
> >  header may carry the same information in current use and be
> >  acted upon or
> >  send the connection into error oblivion. It would appear to
> >  represent a
> >  weakness that can be exploited.  Dropped packets happen.
> >
> >  Doug
> >
> >
> >
>

References:
- RE: FCIP iFCP encapsulation proposal
  - From: Robert Snively <rsnively@Brocade.COM>

Prev by Date: RE: iSCSI: Need to Kill Session from Surviving Node
Next by Date: iSCSI: Rationale behind the SLP draft
Prev by thread: RE: FCIP iFCP encapsulation proposal
Next by thread: RE: iSCSI: Reliability of markers (was Re: R2TDataSN and other recovery mechanisms)
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:05:18 2001
6315 messages in chronological order