|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI login authenticationExcerpt of message (sent 30 April 2002) by vince_cavanna@agilent.com: > I would like to add another question to Jim's. > Does anyone know how CHAP and SRP justify their apparent lack of protection > from denial of service attack prior to authentication? My understanding is > that IKE attempts to provide such protection by exchanging cookies at the > beginning of the phase 1 exchange. I think the reality is better than the appearance. IKE runs on UDP, so you need something explicit to protect against flooding attacks (people sending datagrams to you with forged source addresses). iSCSI runs on TCP, so those attacks don't work. You have to send attacking packets with a real source address and not just send but receive and respond as well, before you reach the point where you can force D-H cycles to be consumed. That's the same as (or better than) IKE. You can't do better than that unless you move towards one of those significantly more complex schemes that make the initiator do a lot more computation than the responder. paul
Home Last updated: Tue Apr 30 15:18:25 2002 9894 messages in chronological order |