RE: iSCSI login authentication

To: vince_cavanna@agilent.com
Subject: RE: iSCSI login authentication
From: Paul Koning <ni1d@arrl.net>
Date: Tue, 30 Apr 2002 13:34:22 -0400
Cc: ips@ece.cmu.edu
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <01A7DAF31F93D511AEE300D0B706ED9201BF48E1@axcs13.cos.agilent.com>
Sender: owner-ips@ece.cmu.edu

Excerpt of message (sent 30 April 2002) by vince_cavanna@agilent.com:
> I would like to add another question to Jim's.
> Does anyone know how CHAP and SRP justify their apparent lack of protection
> from denial of service attack prior to authentication? My understanding is
> that IKE attempts to provide such protection by exchanging cookies at the
> beginning of the phase 1 exchange.

I think the reality is better than the appearance.

IKE runs on UDP, so you need something explicit to protect against
flooding attacks (people sending datagrams to you with forged source
addresses). 

iSCSI runs on TCP, so those attacks don't work.  You have to send
attacking packets with a real source address and not just send but
receive and respond as well, before you reach the point where you can
force D-H cycles to be consumed.  That's the same as (or better than)
IKE.  You can't do better than that unless you move towards one of
those significantly more complex schemes that make the initiator do a
lot more computation than the responder.

    paul

References:
- RE: iSCSI login authentication
  - From: vince_cavanna@agilent.com

Prev by Date: Re: iSCSI: question about numeric IPv6 addr
Next by Date: RE: questions about FCIP connection failure detection
Prev by thread: RE: iSCSI login authentication
Next by thread: iSCSI - re-phrase of 4.1
Index(es):
- Date
- Thread

Home

Last updated: Tue Apr 30 15:18:25 2002
9894 messages in chronological order