Re: DH-CHAP

To: "Yongge Wang" <ywang@karthika.com>
Subject: Re: DH-CHAP
From: Jonathan Stone <jonathan@dsg.stanford.edu>
Date: Mon, 15 Apr 2002 11:22:43 -0700
cc: "Bill Studenmund" <wrstuden@wasabisystems.com>, ips@ece.cmu.edu
In-reply-to: Your message of "Mon, 15 Apr 2002 13:21:48 EDT." <FOEDIAMMNNAJCNDKPAAPIEFACAAA.ywang@karthika.com>
Sender: owner-ips@ece.cmu.edu

In message <FOEDIAMMNNAJCNDKPAAPIEFACAAA.ywang@karthika.com>,
"Yongge Wang" writes:
[...]

>But the switch has to broadcast again on the outgoing port, right?

Depends on one's perspective.

For typical network engineering, the answer is "no". In many
environments, it's safe to assume that, while there may be cascades of
Ethernet switches, there is only one leaf device per switch port.
(Otherwise, you lose the benefits of full-duplex on the multi-drop
segment.)

For cryptographic purposes, it's moot: someone with physical access to
the switch can put a port into monitor mode, snoop the traffic on the
ethernet-switch-port in question, and forge MAC addresses to inject
packets into that data stream.

Consider the case where end-users control the iSCSI devices
communicating via a switched ethernet, and the iSCSI end-user
don't wish to trust the administrator of the Ethernet switch.

Follow-Ups:
- RE: DH-CHAP
  - From: "Yongge Wang" <ywang@karthika.com>

References:
- RE: DH-CHAP
  - From: "Yongge Wang" <ywang@karthika.com>

Prev by Date: Re: DH-CHAP
Next by Date: RE: DH-CHAP
Prev by thread: RE: DH-CHAP
Next by thread: RE: DH-CHAP
Index(es):
- Date
- Thread

Home

Last updated: Mon Apr 15 15:18:22 2002
9679 messages in chronological order