SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: iSCSI: Kerb auth issue 1 - checksum



    >> According to RFC1510 the server Kerberos implementation should
    >> maintain a cache of client name/timestamp for a window of the
    >> the allowable clock skew, this prevents a replay usage of
    >> the authenticator. Telnet does not bind the connection either,
    >> just the negotiation result (against m-i-m).
    
    >I'm sorry, are you saying we don't need this?
    
    In telnet m-i-m can take them down to no-encryption when the
    negotiation result would have been encryption. Here there is
    no negotiation result of that sort (well, we could have protected
    the AuthMethod negotiation itself, against being taken down from
    CHAP to Kerberos :-) but as I said with no IPsec m-i-m can hijack
    the connection after login anyway.
    
    For binding initiator/target/sessison_id/connection_id as you
    suggested - the cache of client name/timestamp protects against
    replaying the authenticator. Relying on such binding for not
    implementing the cache (i.e., I already have this
    sessison_id/connection_id from that initiator active, so it's a
    replay) has a replay risk in scenario of connection time shorter
    than the allowable clock skew of the authenticator timestamp
    (beside going against RFC1510 requirements).
    
    
      Happy Chrismass !
    
       Ofer
    
    
    Ofer Biran
    Storage and Systems Technology
    IBM Research Lab in Haifa
    biran@il.ibm.com  972-4-8296253
    
    
    


Home

Last updated: Thu Jan 02 14:19:03 2003
12105 messages in chronological order