SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: FCIP: WWN short frame and IPsec



    Murali
    
    Sorry for the delay in responding to this.
    
    > Could you please characterize and hence clarify the problem
    > with the existing use of WWN to add additional TCP connection.
    > I am hearing different views of the problem from different people.
    > I would like to get us all on the same page by answering:
    > 
    > 1) When is this a problem? With IPSec or without ?
    
    It is a problem in both situations, although the nature of the
    problem differs.  In the absence of IPsec, there is a direct
    exposure to false authentication (the WWN in the short frame
    is not checked, and hence any connection from anywhere could
    present any WWN).  In the presence of IPsec, there is an exposure
    to a device using an IPsec identity that does not match the WWN
    presented in the short frame (i.e., Bob announces himself as Bob
    to IKE, but then presents Alice's WWN to intercept traffic
    to her and/or inject traffic as if it were from her).
    
    > 2) What are the threat assumptions?
    
    I suggest looking at section 2 of the security draft.  The threat
    in the absence of IPsec includes a variant of [4] that is much
    easier to pull off than hijacking the TCP connection - the
    description of [4] in the security draft may need to be expanded
    to encompass this.
    
    > Is the rogue device a party that is assumed to be "trusted" ?
    
    I suspect the question is ill-formed.  Classifying the world
    into "trusted" and "un-trusted" entities is not a good way
    to think about security.  The fundamental threat here is a device
    exceeding its authorization by presenting a WWN that it is
    not authorized to present and therefore being able to receive
    traffic forwarded to or through that WWN and send traffic as
    if it came from or through that WWN.
    
    As indicated previously on the list, an assumption that the
    WWN must be correct if presented on an IPsec-secured connection
    on which the other party has passed IKE authentication is not
    good enough - in the absence of other measures, the WWN would
    have to be checked against the IKE identity to prevent the
    above problem with Bob presenting Alice's WWN.  In other words,
    the fact that a connection has passed an IPsec authentication is
    not in general sufficient to fully trust it; there are conditions
    in which this may be the case, but they depend on local security
    policy.
    
    Thanks,
    --David
    
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 435-1000            FAX: +1 (508) 497-8500
    black_david@emc.com       Mobile: +1 (978) 394-7754
    ---------------------------------------------------
    


Home

Last updated: Tue Dec 18 23:17:44 2001
8142 messages in chronological order