Return-Path: X-Sieve: cmu-sieve 2.0 Return-Path: Received: from bache.ece.cmu.edu (BACHE.ECE.CMU.EDU [128.2.129.23]) by ece.cmu.edu (8.11.0/8.10.2) with ESMTP id h5CLWm324995 for ; Thu, 12 Jun 2003 17:32:49 -0400 (EDT) Received: by bache.ece.cmu.edu (Postfix, from userid 953) id 2B11F100; Thu, 12 Jun 2003 17:32:45 -0400 (EDT) Received: from sos.ece.cmu.edu (SOS.ECE.CMU.EDU [128.2.129.27]) by bache.ece.cmu.edu (Postfix) with ESMTP id 49E13D4; Thu, 12 Jun 2003 17:32:39 -0400 (EDT) Received: by sos.ece.cmu.edu (Postfix) id E732D89DD; Thu, 12 Jun 2003 17:32:22 -0400 (EDT) Received: from osgood.ece.cmu.edu (OSGOOD.ECE.CMU.EDU [128.2.129.25]) by sos.ece.cmu.edu (Postfix) with ESMTP id D734189DC for ; Thu, 12 Jun 2003 17:32:22 -0400 (EDT) Received: by osgood.ece.cmu.edu (Postfix) id B89F683; Thu, 12 Jun 2003 17:32:22 -0400 (EDT) Received: by osgood.ece.cmu.edu (Postfix, from userid 953) id 90E3788; Thu, 12 Jun 2003 17:32:22 -0400 (EDT) Received: from sos.ece.cmu.edu (SOS.ECE.CMU.EDU [128.2.129.27]) by osgood.ece.cmu.edu (Postfix) with ESMTP id 5D20783 for ; Thu, 12 Jun 2003 17:32:20 -0400 (EDT) Received: by sos.ece.cmu.edu (Postfix, from userid 363) id 32C3A89DE; Thu, 12 Jun 2003 17:32:20 -0400 (EDT) X-Original-To: ips@sos.ece.cmu.edu Received: from hazard.ece.cmu.edu (HAZARD.ECE.CMU.EDU [128.2.129.24]) by sos.ece.cmu.edu (Postfix) with ESMTP id 9B07389DC for ; Thu, 12 Jun 2003 17:32:18 -0400 (EDT) Received: by hazard.ece.cmu.edu (Postfix) id 1EF4479; Thu, 12 Jun 2003 17:32:18 -0400 (EDT) Delivered-To: ips@ece.cmu.edu Received: by hazard.ece.cmu.edu (Postfix, from userid 953) id EF53496; Thu, 12 Jun 2003 17:32:17 -0400 (EDT) Received: from d12lmsgate-2.de.ibm.com (d12lmsgate-2.de.ibm.com [194.196.100.235]) by hazard.ece.cmu.edu (Postfix) with ESMTP id 286C579 for ; Thu, 12 Jun 2003 17:32:15 -0400 (EDT) Received: from d12relay01.megacenter.de.ibm.com (d12relay01.megacenter.de.ibm.com [9.149.165.180]) by d12lmsgate-2.de.ibm.com (8.12.9/8.12.8) with ESMTP id h5CLW6PO033878; Thu, 12 Jun 2003 23:32:06 +0200 Received: from d10ml001.telaviv.ibm.com (d12av02.megacenter.de.ibm.com [9.149.165.228]) by d12relay01.megacenter.de.ibm.com (8.12.9/NCO/VER6.5) with ESMTP id h5CLW3oZ219858; Thu, 12 Jun 2003 23:32:04 +0200 Subject: Re: Question on iSCSI security To: "Williams, Jim" Cc: "'ips@ece.cmu.edu'" X-Mailer: Lotus Notes Release 5.0.3 (Intl) 21 March 2000 Message-ID: From: "Ofer Biran" Date: Fri, 13 Jun 2003 00:30:54 +0300 X-MIMETrack: Serialize by Router on D10ML001/10/M/IBM(Release 5.0.9a |January 7, 2002) at 13/06/2003 00:32:04 MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ips@ece.cmu.edu Precedence: bulk X-Spam-Status: No, hits=-5.8 required=5.0 tests=BAYES_10 version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) This is not be possible if A uses different secret/ticket for B and C in the in-band authentication (for Kerberos ticket it's always different). Also it's not a classic man-in-middle since A attempts to log into B (and authenticates B on the IPsec level) and not into C, so this attack can actually happen only after a previous attack of compromising a legitimate server B. Regards, Ofer Ofer Biran Storage and Systems Technology IBM Research Lab in Haifa biran@il.ibm.com 972-4-8296253 "Williams, Jim" lex.com> cc: Sent by: Subject: Question on iSCSI security owner-ips@ece.cmu .edu 12/06/03 21:50 I am not up to speed on security and IPSec, so there is probably a simple answer to this. I would be curious to know what it is. Scenario: A is an unwitting initiator, B is a malicious target, and C is a victim target. A attempts to log into B using IPSec. B establishes IPSec SA with C. B is honest to IKE about its identity. After establishing SA, B attempts to log into C, but lies to the iSCSI layer and claims to be A. B uses classic man-in-the-middle technique to get A to respond to C's login challenge. If this works, then B has successfully logged into C as A. There are a number of similar scenarios with the common thread that the attacker is truthful about his identity to the IPSec layer, but lies about his identity to the iSCSI layer. These attacks are easily defeated if the iSCSI layer cross checks remote end's identity with the IPSec layer. But it is not clear how this is done and whether it will be done or is required to be done. If the IPSec layer verifies that the IP address INSIDE the tunnel really belongs to B, and iSCSI verifies that the IP address it sees really belongs to A, and the data consulted for the verification is secure, then one of these checks should fail, but this seems like a stretch. But perhaps I am missing something simple.