|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: Kerb auth issue 1 - checksumOn Thu, 19 Dec 2002, Ofer Biran wrote: > According to RFC1510 the server Kerberos implementation should > maintain a cache of client name/timestamp for a window of the > the allowable clock skew, this prevents a replay usage of > the authenticator. Telnet does not bind the connection either, > just the negotiation result (against m-i-m). I'm sorry, are you saying we don't need this? > If IPsec is not used, m-i-m can hijack the connection after > the login anyway. The original idea was to have input from the end-to-end IPsec SAs in the checksum too. This would be to prevent against M-I-M IPsec attacks. Unfortunately the IPsec APIs don't support this, so we dropped it. Take care, Bill
Home Last updated: Sun Dec 22 16:19:25 2002 12093 messages in chronological order |