SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSNS DHC option comments -- response



    Hi David:
    
    Please see responses embedded below.
    
    > -----Original Message-----
    > From: Black_David@emc.com [mailto:Black_David@emc.com]
    > Sent: Wednesday, November 27, 2002 2:15 PM
    > To: ips@ece.cmu.edu
    > Subject: iSNS DHC option comments
    > 
    > (1)  If FCIP were to be added, we could run out of space in
    > the DD Access field.  I suggest moving the high order octet
    > of Administrative Flags to DD Access and making all of
    > those new DD Access bits RESERVED for future extensibility.
    > 
    
    Response
    
    Accepted.
    
    To provide improved flexibility for other future protocols, we propose to
    split the reserved area such that both DD Access and Administrative FLAGS
    have reserved fields, with DD Access having more than previously assigned.
    
    Current format is:
         0                   1                   2                   3
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |   Code = TBD  |    Length     |          iSNS Functions       |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |   DD Access   |             Administrative FLAGS              |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                 iSNS Server Security Bitmap                   |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |      a1       |       a2      |       a3      |       a4      |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |      b1       |       b2      |       b3      |       b4      |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                            . . . .                            |
        |                 Additional Secondary iSNS Servers             |
        |                            . . . .                            |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                           Figure 1 -- iSNS Server Option
    
    The proposed format is shown below.
    
         0                   1                   2                   3
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |   Code = TBD  |    Length     |          iSNS Functions       |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |           DD Access           |     Administrative FLAGS      |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                 iSNS Server Security Bitmap                   |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |      a1       |       a2      |       a3      |       a4      |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |      b1       |       b2      |       b3      |       b4      |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                            . . . .                            |
        |                 Additional Secondary iSNS Servers             |
        |                            . . . .                            |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                           Figure 1 -- iSNS Server Option
    
    Section 2.2
          0   1   2   3   4   5   6  ... 15
        +---+---+---+---+---+---+---+---+---+
        | if| tf| is| ts| C | E | Reserved  |
        +---+---+---+---+---+---+---+---+---+
           Figure 3 -- Discovery Domain Access
    
          Bit field     Significance
          ---------     ------------
             0          iFCP Initiator Port
             1          iFCP Target Port
             2          iSCSI Initiator
             3          iSCSI Target
             4          Control Node
             5          Enabled
           6-15         RESERVED
    
    Section 2.3
        1                           2                   3
        6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                RESERVED                   |D|M|H|E|
       +---+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                Figure 4 -- Administrative Flags
    
                   Bit Field               Significance
                   ---------               ------------
                   31                      Enabled
                   30                      Heartbeat
                   29                      Management SCNs
                   28                      Default Discovery Domain
                   27 - 16                 RESERVED
    
    
    
    
    > (2) The Security Considerations need to include the exposure
    > to a "bid down" attack on security policy distribution (malicious
    > intermediary weakens the security used) and say that reliance on
    > local policy to avoid unacceptably weak security is the
    > countermeasure.
    > 
    
    Response
    
    Comment accepted -- although a standard "bid down" attack will not work
    since
    the iSNS server will enforce it's own locally-configured security policy.
    Rather, the "bid down" attack should be part of a man-in-the-middle attack
    to trick the iSNS/DHCP client into connecting to a rogue iSNS server. See
    below:
    
    The following text should be added to section 3 Security Considerations:
    
    3. Security Considerations
    
    DHCP currently provides no authentication or security mechanisms. Potential
    exposures to attack are discussed in section 7 of the DHCP protocol
    specification [DHCP].
    
    iSNS security considerations are discussed in [iSNS] and [SEC-IPS]. With
    regard to security considerations specific to the use of this DHCP option to
    discover the location of the iSNS server, exposure to a "man-in-the-middle"
    attack by an hostile entity modifying or replacing the original iSNS option
    message should be considered a potential security exposure.  To prevent an
    attacker from weakening the required security and potentially tricking the
    iSNS client into connecting into rogue iSNS servers, reliance on local
    security policy configuration is an appropriate countermeasure.
    
    
    > Plus a few nits:
    > 
    > (3) Section 2.3 - Typo in name of bit 28, Discovrery --> Discovery
    > 
    
    Accepted.
    
    > (4) The description of the heartbeat should probably talk about
    > the Multicast address to which the heartbeat is sent, as opposed
    > to the current language about where it originates.
    > 
    
    Accepted.
    
    The section will be reworded as follows:
    
    Heartbeat:         Indicates whether the first IP address
                       is the multicast address to which the
                       iSNS heartbeat message is sent.  
                       If set to one, then a1-a4 contains the
                       heartbeat multicast address and b1-b4
                       contains the IP address of the primary
                       iSNS server, followed by the IP
                       address(es) of any backup servers.  If
                       set to zero, then a1-a4 contains the IP
                       address of the primary iSNS server,
                       followed by the IP address(es) of any
                       backup servers.
    
    > (5) Please double check that the PFS bit for security is needed.
    > It looks like it is, as I didn't find anything obvious in a quick
    > scan of RFC 2409 and the DOI (and IANA registry) only has KEY_IKE,
    > and the authentication methods, with nothing to indicate PFS usage.
    > 
    
    Response
    
    The PFS bit is needed as a configuration option in the security bitmap.  The
    DOI does not include PFS usage.
    
    -- Charles
    -----------------------------------------
    Charles Monia
    Senior Technology Consultant
    Nishan Systems
    email: cmonia@nishansystems.com
    voice: (408) 519-3986
    fax:   (408) 435-8385
     
    


Home

Last updated: Sat Dec 07 22:19:00 2002
12060 messages in chronological order