|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: Kerb auth issue 1 - checksum>> According to RFC1510 the server Kerberos implementation should >> maintain a cache of client name/timestamp for a window of the >> the allowable clock skew, this prevents a replay usage of >> the authenticator. Telnet does not bind the connection either, >> just the negotiation result (against m-i-m). >I'm sorry, are you saying we don't need this? In telnet m-i-m can take them down to no-encryption when the negotiation result would have been encryption. Here there is no negotiation result of that sort (well, we could have protected the AuthMethod negotiation itself, against being taken down from CHAP to Kerberos :-) but as I said with no IPsec m-i-m can hijack the connection after login anyway. For binding initiator/target/sessison_id/connection_id as you suggested - the cache of client name/timestamp protects against replaying the authenticator. Relying on such binding for not implementing the cache (i.e., I already have this sessison_id/connection_id from that initiator active, so it's a replay) has a replay risk in scenario of connection time shorter than the allowable clock skew of the authenticator timestamp (beside going against RFC1510 requirements). Happy Chrismass ! Ofer Ofer Biran Storage and Systems Technology IBM Research Lab in Haifa biran@il.ibm.com 972-4-8296253
Home Last updated: Thu Jan 02 14:19:03 2003 12105 messages in chronological order |