|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Document Action: iSCSI Requirements and Design Considerations to InformationalRegarding the security requirements in <http://www.ietf.org/internet-drafts/draft-ietf-ips-iscsi-reqmts-06.txt> ... Section 6.2 draws a curious and potentially dangerous distinction between active and passive attacks. It states that the authentication protocol MUST be resilient to passive attacks, implying that the protocol MAY permit active attacks. This is generally not a acceptable practice in security or cryptographic protocol design. Generally speaking, on IP networks, someone who can read packets can also send packets. A simple fix is to remove the distinction in 6.2 between active and passive attacks, as in: "6.2 ... The iSCSI authenticated login MUST be resilient against attacks. ..." If one chooses to discriminate in this document between active and passive attacks, going against common wisdom, I would think that one *must* justify within the document exactly what distinction is being made and why. I think that the IPS WG discussed valid reasons why one might want to protect the authentication packets to a higher degree than session data packets. On the other hand, I heard no particularly good reason why active attacks would be categorically impossible in the common settings where passive attacks would be possible. I also have a small editorial comment on page 2: >Conventions used in this document > > This document describes the requirements for a protocol design, but > does define a protocol standard. ... I presume this should really say "does not define a protocol standard". -- David At 04:56 PM 4/25/02 -0400, The IESG wrote: >The IESG has approved the Internet-Draft 'iSCSI Requirements and Design >Considerations' <draft-ietf-ips-iscsi-reqmts-06.txt> as an >Informational RFC. This document is the product of the IP Storage >Working Group. The IESG contact persons are Allison Mankin and Scott >Bradner.
Home Last updated: Mon Apr 29 16:18:23 2002 9850 messages in chronological order |