SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: FCIP: NAPTs Solution Proposal (issue from Irvine, CA Interim meeting)



    Venkat,
    
    Let me try to summarize and explain without quoting your entire message:
    
    -- Pre-shared keys
    
    The existing text in the IPS security draft on pre-shared keys and IKE
    authentication modes is fine in the absence of the recent WWN short
    frame addition.  That addition changes the security properties of FCIP
    by introducing an inband authentication/authorization for which it
    is necessary to provide security.  Doing so without using an inband
    authentication protocol impacts group pre-shared keys and other things.
    
    -- WWN short frame and administration
    
    > "The usage of SLPv2 by FCIP is described in [64]. FCIP Entities assume
    > that once the IKE identity of a peer is established, the FCIP Entity
    > Name carried in FCIP Short Frame is also implicity accepted as the
    > authenticated peer.  Any such association between the IKE identity and
    > the FCIP Entitiy Name is administratively established."
    
    > Do you see any further clarification required in this area? 
    > Also, is there
    > any conflict with the FCIP Short Frame proposal (the NAPTs) solution?
    
    Work is definitely required here, because that short frame is
    serving an authentication/authorization purpose and hence the means
    need to be provided to adequately secure it.  The assumption in the
    second sentence above isn't sufficient because it opens up nasty
    attacks including the denial of service ones I described earlier.
    In addition, that assumption makes IKE and ESP cryptographic
    integrity at least "SHOULD use" for FCIP, and I can't promise that
    the Security ADs will settle for "SHOULD use" as opposed to "MUST
    use".  The reason for this change from the "MAY use" that applied
    prior to the introduction of the WWN short frame is that the
    authentication/authorization performed by that short frame is a
    class of function that is far more important, expected, and widely
    used than cryptographic integrity - the assumption uses cryptographic
    integrity to secure a mandatory authentication mechanism and hence
    increases the requirement for cryptographic integrity.
    
    And as things currently stand, the "administrative establishment" of
    that association will need to be done not only at the sender of the
    short frame, but also at the recipient.  When IKE is in use, both
    establishment of the association and the check at the receiver (IKE
    identity for IPsec SA and WWN in short frame that arrived on that SA
    are associated) will need to be "MUST"s.  Group pre-shared keys make
    these sort of checks difficult to specify and use properly - the fastest
    way to resolve this is to make group pre-shared keys "MUST NOT use"
    for FCIP.
    
    Thanks,
    --David
    
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    black_david@emc.com       Mobile: +1 (978) 394-7754
    ---------------------------------------------------
    


Home

Last updated: Mon Nov 19 17:17:35 2001
7856 messages in chronological order