1 - 2 - 3 - 6 - 8 - 9 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - X
iSCSI
Click on the red underlined text to get to the source
... iSCSI Overview ...
... command/response protocol that runs over TCP, and is used to access
disk, tape and other devices. iSCSI is a client-server protocol in
which clients ...
... some form.
The iSCSI protocol has a text based negotiation mechanism as part of
its initial (login ...
... initiator may issue SCSI commands
for execution by the iSCSI target, which returns a status response
for each command, over the same connection. A single connection ...
... used for both command/status messages as well as transfer of data
and/or optional command parameters. An iSCSI session may have
multiple connections, but a separate login ...
... connections, but a separate login is performed on each. The
iSCSI session terminates when its last connection is closed.
...
... targets
have names whose syntax is defined in [RFC3721]. iSCSI sessions
between a given initiator and target ...
... login process
establishes an association between an iSCSI Session and the TCP
connection(s) over which iSCSI PDUs ...
... association between an iSCSI Session and the TCP
connection(s) over which iSCSI PDUs will be carried.
...
... endpoints and negotiation of session parameters, iSCSI does not
define its own per-packet authentication ...
... protocol" applies to all block storage protocols running over IP,
including iSCSI, iFCP and FCIP.
...
... Name Server (iSNS) protocol provides for
discovery and management of iSCSI and Fibre Channel (FCP) storage
devices ...
... Fibre Channel (FCP) storage
devices. iSNS applications store iSCSI and FC device attributes
and monitor their availability and reachability ...
... iFCP requires iSNS for discovery and management,
while iSCSI may use iSNS for discovery, and FCIP does not use
iSNS.
...
... TCP port for incoming
connections, and returns a status response for each command
issued by the iSCSI initiator, over the same connection.
...
... Although the security requirements in this document are already
incorporated into the iSCSI [RFC3720], iFCP [iFCP ...
... RFC3456], will typically not be
required, although it cannot be ruled out. Such facilities will also
be relevant to iSCSI hosts whose addresses are dynamically assigned.
...
... configuration will influence the authentication algorithm negotiated
within iSCSI Login, as well as the security services
...
... iFCP, the
granularity corresponds to an iFCP Portal. For iSCSI, the
granularity of control is typically that of an iSCSI session,
...
... iFCP Portal. For iSCSI, the
granularity of control is typically that of an iSCSI session,
although it is possible to exert control down to the granularity of
the destination IP address ...
... authentication SHOULD be
used by IP block storage protocols (e.g., iSCSI SHOULD use one of its
in-band authentication mechanisms ...
... iFCP deployments.
iSCSI may use iSNS for discovery, and FCIP does not use iSNS. iSNS
applications store iSCSI ...
... iSCSI may use iSNS for discovery, and FCIP does not use iSNS. iSNS
applications store iSCSI and FC device attributes and monitor their
availability and reachability ...
... constraints and performance requirements for iSCSI are
discussed in [RFC3347] Section 3.2. iFCP ...
... constraining factor.
iSCSI will be implemented on a variety of systems ranging from large
servers running general purpose operating systems to embedded host ...
... bus adapters (HBAs). In general, a host bus adapter is the most
constrained iSCSI implementation environment, although an HBA may
draw upon the resources of the system to which it is attached in some
cases (e.g., authentication ...
... cases (e.g., authentication computations required for connection
setup). More resources should be available to iSCSI implementations
for embedded and general purpose operating systems. The following
...
... The primary resource concern for implementation of authentication and
keying mechanisms is code size, as iSCSI assumes that the
computational horsepower to do exponentiations will be available.
...
... computational horsepower to do exponentiations will be available.
There is no dominant iSCSI usage scenario - the scenarios range from
a single connection ...
... iSCSI Authentication ...
... CHAP is used with a secret smaller then 96 bits, a
compliant implementation MUST NOT continue with the iSCSI login
unless it can verify that IPsec ...
... authentication.
Responders MUST check for this condition and close the iSCSI TCP
connection if it occurs.
...
... enables the attacker to impersonate any of them. It is recommended
that iSCSI implementations check for use of identical CHAP secrets by
different peers when this check is feasible, and take appropriate
...
... MUST result in the Responder (target) closing the iSCSI TCP
connection because the initiator has failed to authenticate ...
... initiator. If the CHAP response received by one end of an
iSCSI connection is the same as the CHAP response that the receiving
...
... CHAP secret is not
used for authentication in both directions). Also, if an iSCSI
implementation can function as both initiator and target ...
... groups may be registered with IANA. iSCSI implementations MUST use
one of these well-known groups ...
... snooping, and launch an attack against the peer. Given the
potential value of iSCSI targets and FCIP entities, leaking of
such information not only increases the possibility of an attack ...
...
In order to provide the required security functionality, iSCSI and
FCIP implementations supporting SLPv2 ...
... identity. In addition, a subsequent user-level iSCSI session login
can protect the initiator ...
... storage
devices represent mission critical infrastructure of substantial
value, and so iSCSI and FCIP security implementations supporting
...
... security policy and authorization information to iSCSI and iFCP
devices. When the iSNS protocol is deployed, the interaction between
...
... [1] An attacker can alter iSNS protocol messages, directing iSCSI
and iFCP devices to establish connections ...
... masquerade as the real iSNS server by sending
false iSNS heartbeat messages. This could deceive iSCSI and
iFCP devices into using rogue iSNS servers.
...
... attacker in mounting a direct attack on iSCSI and iFCP devices,
such as a denial-of-service attack ...
...
In practice, within a single installation, iSCSI and/or iFCP devices
may have different security ...
... The iSNS protocol is used to transfer naming, discovery, and
management information between iSCSI devices, iFCP gateways,
management stations ...
... to enable discovery of security settings used for communication via
the iSCSI and/or iFCP protocols.
...
... IKE and IPsec by each iFCP or iSCSI peer device interface.
This information is encoded in the Security ...
... discover the security settings required for communication via the
iSCSI and/or iFCP protocols. Use of iSNS for distribution of
security policies ...
... IKE/IPsec configuration of each iFCP and/or iSCSI device
can be stored in the iSNS server, including policies that are used
for IKE ...
... IKE payload format includes a series of one or more proposals that
the iSCSI or iFCP device will use when negotiating the appropriate
IPsec ...
... iFCP device will use when negotiating the appropriate
IPsec policy to use to protect iSCSI or iFCP traffic.
...
...
The following guidelines are established to meet iSCSI security
requirements using IPsec in practical situations.
...
... iSCSI Security Issues ...
... authentication. This authentication is
logically between the iSCSI initiator and the iSCSI target (as
...
... logically between the iSCSI initiator and the iSCSI target (as
opposed to between the TCP/IP communication endpoints ...
... TCP/IP communication endpoints). The intent
of the iSCSI design is that the initiator and target represent the
...
... connection origination, but does not protect control and data traffic
on a per packet basis, leaving the iSCSI connection vulnerable to
attack. iSCSI ...
... authentication does not provide for a protected
ciphersuite negotiation. Therefore, iSCSI Login provides a weak
security solution ...
... iSCSI session and connection information is carried within the
iSCSI Login Commands, transported over TCP. Since an iSCSI ...
... iSCSI Login Commands, transported over TCP. Since an iSCSI initiator
may have multiple interfaces ...
... initiator
may have multiple interfaces, iSCSI connections within an iSCSI
session may be initiated from different IP addresses. Similarly,
...
... may have multiple interfaces, iSCSI connections within an iSCSI
session may be initiated from different IP addresses. Similarly,
multiple iSCSI targets ...
... iSCSI
session may be initiated from different IP addresses. Similarly,
multiple iSCSI targets may exist behind a single IP address, so that
there may be multiple iSCSI sessions ...
... iSCSI targets may exist behind a single IP address, so that
there may be multiple iSCSI sessions between a given <source IP
address, destination IP address> pair.
...
... destination IP address> pair.
When multiple iSCSI sessions are active between a given <initiator,
...
... target> pair, the set of TCP connections used by a given iSCSI
session must be disjoint from those used by all other iSCSI sessions
between the same <initiator ...
... target> pair, the set of TCP connections used by a given iSCSI
session must be disjoint from those used by all other iSCSI sessions
between the same <initiator, target ...
... initiator, target> pair. Therefore a TCP
connection can be associated with one and only one iSCSI session.
The relationship between iSCSI sessions ...
... and therefore may have multiple IP addresses. Also, multiple
iSCSI initiators and targets may exist behind a single IP
address ...
... initiators and targets may exist behind a single IP
address. As a result, an iSCSI Session may correspond to
multiple IKE Phase 1 Security Associations ...
... IKE Phase 1 SA and
the corresponding iSCSI sessions, as well as the binding between a
TCP connection ...
... Initiating a New iSCSI Session ...
... already exist, then it is established by an initiator implementing
iSCSI security. Subsequent iSCSI connections established within the
...
... iSCSI security. Subsequent iSCSI connections established within the
iSCSI session will typically be protected by IKE ...
... security. Subsequent iSCSI connections established within the
iSCSI session will typically be protected by IKE Phase 2 SAs derived
...
... target implementations successfully complete the
IKE Phase 1 and Phase 2 negotiations before the iSCSI initiator
contacts the target ...
... target on well-known TCP port 3260, and sends the iSCSI
Login command over the TCP connection ...
... TCP connection over which the Login command is
being exchanged. When the iSCSI target replies with its Login
Command, both iSCSI devices will know the TSIH ...
... being exchanged. When the iSCSI target replies with its Login
Command, both iSCSI devices will know the TSIH, and therefore the
iSCSI session ...
... SAs, and each IKE Phase 1 SA may correspond to multiple iSCSI
session identifiers. Each iSCSI connection (identified by the
...
... Phase 1 SA may correspond to multiple iSCSI
session identifiers. Each iSCSI connection (identified by the
connection identifier ...
... IPsec implementation will choose which security association to
use based on local policy, and iSCSI concerns play no role in this
selection process.
...
... Graceful iSCSI Teardown ...
...
Mechanisms within iSCSI provide for both graceful and non-graceful
teardown of iSCSI Sessions or individual TCP connections ...
... Mechanisms within iSCSI provide for both graceful and non-graceful
teardown of iSCSI Sessions or individual TCP connections within a
given session ...
... TCP connections within a
given session. The iSCSI Logout command is used to effect graceful
teardown. This command allows the iSCSI initiator ...
... session. The iSCSI Logout command is used to effect graceful
teardown. This command allows the iSCSI initiator to request that:
...
... connection be marked for recovery
When the iSCSI implementation wishes to close a session, it uses the
appropriate iSCSI ...
... iSCSI implementation wishes to close a session, it uses the
appropriate iSCSI commands to accomplish this. After exchanging the
appropriate iSCSI control messages ...
... appropriate iSCSI commands to accomplish this. After exchanging the
appropriate iSCSI control messages for session closure, the iSCSI ...
... iSCSI control messages for session closure, the iSCSI
security implementation will typically initiate a half-close of each
...
... security implementation will typically initiate a half-close of each
TCP connection within the iSCSI session.
When the iSCSI ...
... iSCSI session.
When the iSCSI security implementation wishes to close an individual
TCP connection ...
... security implementation wishes to close an individual
TCP connection while leaving the parent iSCSI session active, it
should half-close the TCP connection ...
... Non-graceful iSCSI Teardown ...
...
If a given TCP connection unexpectedly fails, the associated iSCSI
connection is torn down. There is no requirement that an IKE Phase 2
...
... IKE Phase 2
delete immediately follow iSCSI connection tear down or Phase 1
deletion. Since an IKE Phase 2 SA ...
... TCP connection, this does not
necessarily imply that the TCP or iSCSI connection is to be torn
down.
...
... If a Logout Command/Logout Response sequence marks a connection for
removal from the iSCSI session, then after the iSCSI peer has
executed an iSCSI ...
... connection for
removal from the iSCSI session, then after the iSCSI peer has
executed an iSCSI teardown process for the connection ...
... iSCSI session, then after the iSCSI peer has
executed an iSCSI teardown process for the connection, the TCP
connection will be closed. The iSCSI connection ...
... iSCSI teardown process for the connection, the TCP
connection will be closed. The iSCSI connection state can then be
safely removed ...
... Phase 2 SA may be used by multiple TCP connections, an
iSCSI implementation should not depend on receiving the IPsec Phase 2
...
... IPsec Phase 2
delete as confirmation that the iSCSI peer has executed an iSCSI
teardown process for the connection ...
... delete as confirmation that the iSCSI peer has executed an iSCSI
teardown process for the connection.
...
... IKE Phase 2 delete
message MUST NOT be interpreted as a reason for tearing down the
corresponding iSCSI connection if no Logout Command/Logout Receive
has been executed on the connection. Rather, it is preferable to
...
... has been executed on the connection. Rather, it is preferable to
leave the iSCSI connection up, and if additional traffic is sent on
it, to bring up another IKE ...
... IKE Phase 2 SA to protect it. This avoids
the potential for continually bringing iSCSI connections up and down.
...
... RFC793] will not necessarily detect
all errors, resulting in possible data corruption. iSCSI [RFC3720]
therefore incorporates a 32-bit CRC ...
... retransmission will not occur and thus cannot assist in recovering
from the error. iSCSI contains both data and command retry
mechanisms to deal with the resulting situations, including SNACK,
the ability to reissue R2T commands, and the retry (X) bit ...
... integrity protection is known to be in place end-to-end
between iSCSI endpoints (or the portion that requires additional
integrity protection ...
... endpoints (or the portion that requires additional
integrity protection), portions of iSCSI can be simplified. For
example, mechanisms to recover from CRC check failures are not
...
... necessary.
If the iSCSI CRC is negotiated, the recovery logic can be simplified
to regard any CRC ...
...
In some situations where IPsec is employed, the iSCSI CRC will not
provide additional protection and can be omitted.
...
... For example, where IPsec processing as well as TCP checksum and iSCSI
CRC verification are offloaded within the NIC ...
... result, where IPsec processing is offloaded to the NIC, the iSCSI CRC
is not necessary and the implementations may wish not to negotiate
...
...
However, in other circumstances, the TCP checksum and iSCSI CRC will
provide additional error coverage because they are computed and
...
... integrity checks. The
resulting coverage of additional possible errors may make it
desirable to negotiate use of the iSCSI CRC even when IPsec integrity
protection ...
... [1] IPsec, TCP and iSCSI are implemented purely in software. Here,
additional failure modes may be detected by the TCP checksum
...
... additional failure modes may be detected by the TCP checksum
and/or iSCSI CRC. For example, after the IPsec message
integrity check ...
... TCP processing, and a memory error during this
process might cause the TCP checksum or iSCSI CRC verification
to fail.
...
... iSCSI CRC can be propagated from one iSCSI connection to
another. In this case, the iSCSI CRC ...
... CRC can be propagated from one iSCSI connection to
another. In this case, the iSCSI CRC is useful to protect iSCSI
...
... another. In this case, the iSCSI CRC is useful to protect iSCSI
data against memory, bus, or software errors within the proxy or
...
...
[3] IPsec is provided by a device external to the actual iSCSI
device. Here the iSCSI header ...
... IPsec is provided by a device external to the actual iSCSI
device. Here the iSCSI header and data CRCs can be kept across
...
... connection that is not protected by IPsec. For
instance, the iSCSI connection could traverse an extra bus,
interface card, network ...
... interface card, and bus between the
iSCSI device and the device providing IPsec. In this case, the
iSCSI ...
... iSCSI device and the device providing IPsec. In this case, the
iSCSI CRC is desirable, and the iSCSI implementation behind the
...
... iSCSI CRC is desirable, and the iSCSI implementation behind the
IPsec device may request it.
...
... remaining standards compliant. In order to enable traversal of NATs
existing while remaining in compliance, iSCSI, iFCP or FCIP security ...
... the IKE negotiation may be those of the machine or of the iSCSI
entity. When machine authentication ...
... authentication is used, the machine certificate
is typically stored on the iSCSI initiator and target during an
...
... hardware. Since user authentication can be provided
within iSCSI login (keeping in mind the weaknesses described
earlier), support for machine authentication ...
... iFCP and FCIP have no equivalent of iSCSI Login, for these protocols
only the machine is authenticated ...
... attacks when used with dynamically addressed hosts (such as
with iSCSI initiators). In Main Mode it is necessary for SKEYID_e to
be used prior to the receipt of the identification payload ...
... application-layer mutual authentication is performed (e.g.,
iSCSI login authentication). This enables an attacker ...
... In addition to IKE authentication, iSCSI implementations utilize
their own authentication methods. Currently, work is underway on
...
... replay protection. This
implies that the identity verified in the iSCSI Login is not
subsequently verified on reception of each packet.
...
...
Let us assume that the identity claimed in iSCSI Login is a user
identity, while the identity ...
... packet basis, there is no way for the recipient to verify that only
the user authenticated via iSCSI Login is using the IPsec SA ...
... IP block storage protocols MUST be exclusive.
[2] In the case of iSCSI, implementations MUST also ensure that
application layer login ...
... operating system.
In kernel mode iSCSI drivers there typically is no user context to
perform user authentication ...
... raw socket and send
IPsec protected packets to an iSCSI target. The situation is
analogous, and in this respect no new vulnerability is created ...
... effective to protect a device (whether it is a SCSI device or an
iSCSI device).
...
... FQDNs. The configuration can occur manually, or automatically via
iSNS or the iSCSI MIB, defined in [AuthMIB].
...
... Login authentication, it is also possible to use
the identities presented within the iSCSI Login for authorization
...
... registration of values of the SRP_GROUP
key parameter within iSCSI, in accordance with BCP 26, [RFC2434].
...
...
IANA considerations for the iSCSI protocol are described in
[RFC3720], Section 13; for the iFCP protocol ...
... New SRP_GROUP keys MUST conform to the iSCSI extension item-label
format described in [RFC3720] Section 13.5.4.
...
... Satran, J., Meth, K., Sapuntzakis, C. Chadalapaka, M. and E. Zeidner, "Internet Small Computer Systems Interface (iSCSI)", RFC 3720prop, April 2004. ...
... Krueger, M. and R. Haagens, "Small Computer Systems Interface protocol over the Internet (iSCSI) Requirements and Design Considerations", RFC 3347prop, July 2002. ...
... Bakke, M., Hafner, J., Hufferd, J., Voruganti, K. and M. Krueger, "Internet Small Computer Systems Interface (iSCSI) Naming and Discovery", RFC 3721, April 2004. ...
... Bakke, M., et al., "Definitions of Managed Objects for iSCSI", Work in Progress, September 2002. ...
... Bakke, M., "Finding iSCSI targets and Name Servers Using SLP", Work in Progress, March 2002. ...
... each of which has also been rigorously proven to be prime:
[1] iSCSI Key="MODP-3072": the 3072-bit [RFC3526 ...