1 - 2 - 3 - 6 - 8 - 9 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - X
SLPv2
Click on the red underlined text to get to the source
... modification or injection, denial of service) against the
discovery (SLPv2 [RFC2608]) or discovery and management (iSNS
...
... automatically via a security policy distribution mechanism.
Alternatively, it can be supplied via iSNS or SLPv2. If an IP block
storage endpoint ...
... security policy distribution
mechanism) then it need not request this information via iSNS or
SLPv2. However, if the required security policy configuration is not
available via other mechanisms, iSNS or SLPv2 ...
... SLPv2. However, if the required security policy configuration is not
available via other mechanisms, iSNS or SLPv2 can be used to obtain
it.
...
... IKE negotiation to fail.
The following information can be provided via SLPv2 or iSNS:
[4] IPsec ...
... first try.
Since iSNS or SLPv2 can be used to distribute IPsec security policy
and configuration information ...
... security they configure. Since the major vulnerability is packet
modification and replay, when iSNS or SLPv2 are used to distribute
security policy or configuration information ...
... Both iSCSI and FCIP protocols use SLPv2 as a way to discover peer
entities and management servers. SLPv2 ...
... SLPv2 as a way to discover peer
entities and management servers. SLPv2 may also be used to provide
information on peer security configuration. When SLPv2 ...
... SLPv2 may also be used to provide
information on peer security configuration. When SLPv2 is deployed,
the SA advertisements as well as UA ...
... illegitimate service information from SrvRply and AttrRply
messages. In the SLPv2 security model SAs are trusted to sign
...
... rogue DAs that will return incorrect data or no data at all. In
the SLPv2 security model, UAs trust ...
... [e] SAs may have to trust DAs, especially if 'mesh-enhanced' SLPv2
is used. In this case, SAs register ...
... RFC2608], does not satisfy
these security requirements. SLPv2 only provides end-to-end
authentication, but does not support confidentiality. In SLPv2 ...
... SLPv2 only provides end-to-end
authentication, but does not support confidentiality. In SLPv2
authentication there is no way to authenticate ...
... service providers, but such an attack is possible
even in the absence of SLPv2 based discovery mechanisms.
...
... SLPv2 Security Protocol ...
...
SLPv2 message types include: SrvRqst, SrvRply, SrvReg, SrvDereg,
SrvAck, AttrRqst, AttrRply, DAAdvert, SrvTypeRqst, SrvTypeRply,
...
... message types include: SrvRqst, SrvRply, SrvReg, SrvDereg,
SrvAck, AttrRqst, AttrRply, DAAdvert, SrvTypeRqst, SrvTypeRply,
SAAdvert. SLPv2 requires that User Agents (UAs) and Service Agents ...
... unicast UDP. DAAdverts are also multicast.
However, all other SLPv2 messages are sent via UDP unicast.
...
... FCIP implementations supporting SLPv2 security SHOULD protect SLPv2
messages sent via unicast using IPsec ...
... using IPsec ESP with a non-null transform.
SLPv2 authentication blocks (carrying digital signatures), described
...
... target nexus. This will protect them from
any compromise of security in the SLPv2 discovery process.
The usage of SLPv2 ...
... Entity Name is administratively established.
For use in securing SLPv2, when digital signatures are used to
achieve authentication ...
... IKE's authentication procedures. If key management of SLPv2 DAs
needs to be coordinated with the SAs and the UAs ...
...
One of the reasons for utilizing IPsec for SLPv2 security is that is
more likely that certificates ...
... certificates will be deployed for IPsec than for
SLPv2. This both simplifies SLPv2 security and makes it more likely
...
... IPsec than for
SLPv2. This both simplifies SLPv2 security and makes it more likely
that it will be implemented interoperably and more importantly, that
...
... it will be used. As a result, it is desirable that little additional
effort be required to enable IPsec protection of SLPv2.
However, just because a certificate ...
... does not necessarily imply that the host is authorized to perform
SLPv2 operations. When using IPsec to secure SLPv2, it may be
...
... SLPv2 operations. When using IPsec to secure SLPv2, it may be
desirable to distinguish between certificates appropriate for use by
...
... authorizations can be employed.
Assume that the policy for issuing and distributing SLPv2 authorized
certificates to SAs ...
... SA used a certificate authorized for
SLPv2 service advertisement in establishing the IKE Phase 1 SA ...
... DA usage, the
UA can accept the information sent, even if it has no SLPv2
authentication block.
...
... Assuming that the SA used a certificate authorized for SLPv2
service advertisement in establishing the IKE ...
... DA
can accept the de/registration even if it has no SLPv2
authentication block. Typically, the SA ...
...
Since SLPv2 messages can contain information that can potentially
reveal the vendor of the device or its other associated
...
... Entity's characteristics.
The SLPv2 security model assumes that service information is public,
...
... FCIP security implementations supporting
SLPv2 security SHOULD encrypt as well as authenticate ...
... that confidentiality is provided, then the risk of disclosure can be
limited to SLPv2 messages sent via multicast, namely the SrvRqst and
DAAdvert.
...
... present on the network only enables an attacker to know that SLPv2 is
in use, and possibly that a directory service is also present. This
...
... SLPv2 Security Implications ...
... Through the definition of security attributes, it is possible to use
SLPv2 to distribute information about security settings for IP block
...
... security settings for IP block
storage entities. SLPv2 distribution of security policy is not
necessary if the security ...
... security configuration via
other mechanisms, then it MUST NOT request security policy via SLPv2.
Where SLPv2 ...
... security policy information for use
with IP block storage protocols, SLPv2 MUST be protected by IPsec as
described in this document. Where SLPv2 ...
... SLPv2 MUST be protected by IPsec as
described in this document. Where SLPv2 is not used to distribute
security policy information, implementations MAY implement SLPv2 ...
... SLPv2 is not used to distribute
security policy information, implementations MAY implement SLPv2
security as described in this document.
...
... security as described in this document.
Where SLPv2 is used, but security is not implemented, IP block
...
... Since this document proposes that hop-by-hop security be used as the
primary mechanism to protect SLPv2, UAs have to trust DAs to
...
... trust DAs to
accurately relay data from SAs. This is a change to the SLPv2
security model described in [RFC2608 ...
... RFC2608] does not provide a way to authenticate "zero
result responses", leaving SLPv2 vulnerable to a denial of service
attack. Such an attack can be carried out on a UA ...
... DA issuing a legitimate DAAdvert.
In addition, SLPv2 security as defined in [RFC2608] does not support
...
... IPsec with ESP and a non-null transform is
used to protect SLPv2, not only can unicast requests and replies be
authenticated ...
... that use of IPsec for security is more appropriate than the SLPv2
security model defined in [RFC2608 ...
...
Using IPsec to secure SLPv2 has performance implications. Security
associations established between:
...
...
When IPsec is used to protect SLPv2, it is not necessarily
appropriate for all hosts with whom an IPsec security association ...
... hosts with whom an IPsec security association can
be established to be trusted to originate SLPv2 service
advertisements. This is particularly the case in environments where
it is easy to obtain certificates ...
... registration. This approach involves manual
configuration, but avoids certificate customization for SLPv2.
[2] Restricting the issuance of certificates ...
... [2] Restricting the issuance of certificates valid for use in SLPv2
service advertisement. While all certificates ...
... authorized to originate service advertisements could be signed
by an SLPv2-authorized CA, or could contain explicit SLPv2
...
... by an SLPv2-authorized CA, or could contain explicit SLPv2
authorizations within the certificate ...
... authorizations within the certificate. After the IPsec security
association is set up between the SLPv2 entities, the SLPv2
implementations can then retrieve the certificates ...
... certificate. After the IPsec security
association is set up between the SLPv2 entities, the SLPv2
implementations can then retrieve the certificates used in the
...
... approach requires less configuration, but requires some
certificate customization for use with SLPv2.
...
... destination for the packet). The inner
destination address can be discovered using SLPv2 or iSNS, or can be
resolved from an FQDN via DNS ...