Re: iSCSI: Kerb auth issue 1 - checksum

To: Ofer Biran <BIRAN@il.ibm.com>
Subject: Re: iSCSI: Kerb auth issue 1 - checksum
From: Bill Studenmund <wrstuden@wasabisystems.com>
Date: Thu, 19 Dec 2002 11:01:49 -0800 (PST)
Cc: <ips@ece.cmu.edu>
Content-Type: TEXT/PLAIN; charset=US-ASCII
In-Reply-To: <OFB092C06D.28B87A86-ONC2256C94.0057D0B4@telaviv.ibm.com>
Sender: owner-ips@ece.cmu.edu

On Thu, 19 Dec 2002, Ofer Biran wrote:

> According to RFC1510 the server Kerberos implementation should
> maintain a cache of client name/timestamp for a window of the
> the allowable clock skew, this prevents a replay usage of
> the authenticator. Telnet does not bind the connection either,
> just the negotiation result (against m-i-m).

I'm sorry, are you saying we don't need this?

> If IPsec is not used, m-i-m can hijack the connection after
> the login anyway.

The original idea was to have input from the end-to-end IPsec SAs in the
checksum too. This would be to prevent against M-I-M IPsec attacks.
Unfortunately the IPsec APIs don't support this, so we dropped it.

Take care,

Bill

References:
- Re: iSCSI: Kerb auth issue 1 - checksum
  - From: "Ofer Biran" <BIRAN@il.ibm.com>

Prev by Date: Re: iSCSI: Kerb auth issue 2 - name use in kerberos
Next by Date: RE: iSCSI: Kerb auth issue 2 - name use in kerberos
Prev by thread: Re: iSCSI: Kerb auth issue 1 - checksum
Next by thread: Re: iSCSI: Kerb auth issue 1 - checksum
Index(es):
- Date
- Thread

Home

Last updated: Sun Dec 22 16:19:25 2002
12093 messages in chronological order