|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: FCIP: WWN short frame and IPsecMurali Sorry for the delay in responding to this. > Could you please characterize and hence clarify the problem > with the existing use of WWN to add additional TCP connection. > I am hearing different views of the problem from different people. > I would like to get us all on the same page by answering: > > 1) When is this a problem? With IPSec or without ? It is a problem in both situations, although the nature of the problem differs. In the absence of IPsec, there is a direct exposure to false authentication (the WWN in the short frame is not checked, and hence any connection from anywhere could present any WWN). In the presence of IPsec, there is an exposure to a device using an IPsec identity that does not match the WWN presented in the short frame (i.e., Bob announces himself as Bob to IKE, but then presents Alice's WWN to intercept traffic to her and/or inject traffic as if it were from her). > 2) What are the threat assumptions? I suggest looking at section 2 of the security draft. The threat in the absence of IPsec includes a variant of [4] that is much easier to pull off than hijacking the TCP connection - the description of [4] in the security draft may need to be expanded to encompass this. > Is the rogue device a party that is assumed to be "trusted" ? I suspect the question is ill-formed. Classifying the world into "trusted" and "un-trusted" entities is not a good way to think about security. The fundamental threat here is a device exceeding its authorization by presenting a WWN that it is not authorized to present and therefore being able to receive traffic forwarded to or through that WWN and send traffic as if it came from or through that WWN. As indicated previously on the list, an assumption that the WWN must be correct if presented on an IPsec-secured connection on which the other party has passed IKE authentication is not good enough - in the absence of other measures, the WWN would have to be checked against the IKE identity to prevent the above problem with Bob presenting Alice's WWN. In other words, the fact that a connection has passed an IPsec authentication is not in general sufficient to fully trust it; there are conditions in which this may be the case, but they depend on local security policy. Thanks, --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 435-1000 FAX: +1 (508) 497-8500 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Tue Dec 18 23:17:44 2001 8142 messages in chronological order |