IETF Logo Mail Archive

Re: [imss] imss WG Last Call: FC-SP MIB

Keith McCloghrie <kzm@cisco.com> Fri, 12 October 2007 03:52 UTC

Return-path: <imss-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgBa3-0003OX-Uu; Thu, 11 Oct 2007 23:52:55 -0400
Received: from imss by megatron.ietf.org with local (Exim 4.43) id 1IgBa2-0003OQ-Mu for imss-confirm+ok@megatron.ietf.org; Thu, 11 Oct 2007 23:52:54 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgBa2-0003OI-By for imss@ietf.org; Thu, 11 Oct 2007 23:52:54 -0400
Received: from sj-iport-6.cisco.com ([171.71.176.117]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IgBa1-0002Ht-Ta for imss@ietf.org; Thu, 11 Oct 2007 23:52:54 -0400
X-IronPort-AV: E=Sophos;i="4.21,263,1188802800"; d="scan'208";a="235324336"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-6.cisco.com with ESMTP; 11 Oct 2007 20:52:53 -0700
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id l9C3qrkY020674; Thu, 11 Oct 2007 20:52:53 -0700
Received: from cisco.com (pita.cisco.com [171.71.177.199]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id l9C3qrZp012348; Fri, 12 Oct 2007 03:52:53 GMT
Received: (from kzm@localhost) by cisco.com (8.8.8-Cisco List Logging/8.8.8) id UAA24389; Thu, 11 Oct 2007 20:51:28 -0700 (PDT)
From: Keith McCloghrie <kzm@cisco.com>
Message-Id: <200710120351.UAA24389@cisco.com>
Subject: Re: [imss] imss WG Last Call: FC-SP MIB
To: Black_David@emc.com
Date: Thu, 11 Oct 2007 20:51:28 -0700
In-Reply-To: <no.id> from "Black_David@emc.com" at Oct 11, 2007 01:23:09 AM
X-Mailer: ELM [version 2.5 PL5]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=2457; t=1192161173; x=1193025173; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=kzm@cisco.com; z=From:=20Keith=20McCloghrie=20<kzm@cisco.com> |Subject:=20Re=3A=20[imss]=20imss=20WG=20Last=20Call=3A=20FC-SP=20MIB |Sender:=20; bh=1/mpNBJ+N3REipHq459A0tHNIcwRjpDY8TwLFUi36ws=; b=AvPyVLr2nJYiwsDxC6T3SKKVnTOwdc3XI93+sjkS+XW0rlX35cn6UsjBX1wW5lcdW3dPcGtO 3OCOrQ/Oxh+TSMhZWeDNcE6VnPX1Ggulkl5NxBr7n4Xzxb+qImlplxzr;
Authentication-Results: sj-dkim-3; header.From=kzm@cisco.com; dkim=pass (sig from cisco.com/sjdkim3002 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
Cc: imss@ietf.org, kzm@cisco.com, dromasca@avaya.com
X-BeenThere: imss@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Internet and Management Support for Storage Working Group <imss.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/imss>, <mailto:imss-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:imss@ietf.org>
List-Help: <mailto:imss-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/imss>, <mailto:imss-request@ietf.org?subject=subscribe>
Errors-To: imss-bounces@ietf.org

> ...
>
> > > (2) Section 4.9 defines rate control for Authentication
> > > 	failures on a per-fabric granularity.  That strikes
> > > 	me as overly coarse, and I wonder if per-SA would
> > > 	be a more appropriate/useful granularity.
> >  
> > I think the question here is whether it's likely that authentication
> > failures will occur on many SA's at the same time -- if it is likely,
> > then per-Fabric rate control allows for plenty of notifications in
> > isolated cases without getting overloaded when many SA's have the
> > problem.  But, if there's no correlation between occurrences on
> > different SA's, then the odds of many SA's having the problem at the
> > same time is presumably negligible, and I agree that per-SA would be
> > better.
> 
> I think this also revolves around the number of SAs.  I would expect
> FC-SP SA usage to be more akin to a site-to-site VPN (small number of
> SAs carrying large amounts of traffic) than a remote access VPN
> (large number of SAs carrying smaller amounts of traffic).  That
> should limit the size of a one-per-SA notification burst in practice.
> 
> I definitely agree with your concern about overload, as authentication
> failures are relatively cheap to generate (e.g., attacker need not do
> any crypto calculations), and hence causing a large number of such
> failures in a short time period could be a denial of service attack
> based on the work involved in generating the notifications.
> 
> OTOH, this text:
> 
>    For t11FcSpSaNotifyAuthFailure, rate control is achieved by
>    specifying that it is generated only for the first occurrence of an
>    Authentication failure on a particular Fabric within a time window.
> 
> strikes me as providing unwarranted help for an attacker trying
> to cover her tracks - she opens an SA to the victim, generates
> an authentication failure, thereby generating the first notification,
> and can then attack other SAs for the same fabric within the time
> window, since their notifications are suppressed.
> 
> Perhaps what's appropriate is a 2-level rate limiting structure:
> - At most one notification per SA in the (settable) time window.
> - At most <n> (new settable value) notifications per fabric in
> 	the same (settable) time window.

That sounds fine to me.

(FYI - I'm going to keep track of the changes we agree upon, and do all
the editing after the end of the Last Call.)

Keith.


_______________________________________________
imss mailing list
imss@ietf.org
https://www1.ietf.org/mailman/listinfo/imss

v2.23.0 | Report a Bug | By Email