Fibre Channel address weaknesses

http://searchitchannel.techtarget.com/feature/Fibre-Channel-address-weaknesses

Figure 2.1 Five layers of a Fibre Channel frame.

Figure 2.2 shows an example of the header information in Fibre Channel layer 2.

Now that we have established that attacks don't change, but they do get modified, let's discuss another attack that stems network and application history. Manipulation of the 24-bit fabric address can cause significant damage and denial of service in a SAN.

Each node in a SAN has a 24-bit fabric address that is used for routing, among other things. Along with routing frames correctly to/from their source and destinations, the 24-bit address is also used for name server information. The name server is a logical database in each Fibre Channel switch that correlates a node's 24-bit fabric address to their 64-bit WWN. Additionally, the name server is also responsible for other items, such as mapping the 24-bit fabric address and 64-bit WWN to the authorized LUNs in the SAN. Furthermore, address information is also used for soft and hard zoning procedures (discussed in the Chapter 4, "SANs: Zone and Switch Security"). The 24-bit fabric address of a node determines route functions with soft and hard zoning procedures, specifically if a frame is allowed to pass from one zone to the other. While there are several other uses of the 24-bit address, the use of the address in name servers and zoning procedures are by far the most important in terms of security.

The major issues with the 24-bit address is that it is used for identification purposes for both name server information and soft/hard zone routing, almost like an authorization process, but it is an entity that can be easily spoofed. Using any traffic analyzer, the 24-bit source address of a Fibre Channel frame could be spoofed as it performs both PLOGI (Port Login) and FLOGI (Fabric Login) procedures.

In Fibre Channel, there are three different types of login—Port Login, Fabric Login, and Node Login. Two can be corrupted with a spoofed 24-bit fabric address. Before we discuss how spoofing disrupts these processes, let's discuss the login types first.

FABRIC LOGIN (FLOGI), PORT LOGIN (PLOGI), AND NODE LOGIN (NLOGI)

The Fabric Login (FLOGI) process allows a node to log in to the fabric and receive an assigned address from a switch. The FLOGI occurs with any node (N_Port or NL_Port) that is attached to the fabric. The N_Port or NL_Port will carry out the FLOGI with a nearby switch. The node (N_Port or NL_Port) will send a FLOGI frame that contains its node name, its N_Port name, and any service parameters. When the node sends its information to the address of 0xFFFFFE, it uses the 24-bit source address of 0x000000 because it hasn't received a legitimate 24-bit address from the fabric yet. The FLOGI will be sent to the well-known fabric address of 0xFFFFFE, which is similar to the broadcast address in an IP network (though not the same). The FC switches and fabric will receive the FLOGI at the address of 0xFFFFFE. After a switch receives the FLOGI, it will give the N_Port or NL_Port a 24-bit address that pertains to the fabric itself. This 24-bit address with be in the form of Domain-Area-Port address from, where the Domain is the unique domain name (ID) of the fabric, Area is the unique area name (ID) of the switch within the domain, and Port is the unique name (ID) of each port within the switch in the fabric. Table 2.3 shows how the 24-bit address is made.

Table 2.3 24-Bit addresses

24-Bit Address Type
Description

8-bit domain name
Unique domain ID in a fabric. Valid domain IDs are between 1 and 239.

8-bit area name
Unique area ID on a switch within a fabric. Valid area IDs are between 0 and 255.

8-bit port name
Unique area ID on a switch within a fabric. Valid area IDs are between 0 and 255.

A 24-bit address (port ID) uses the following formula to determine a node's address:

Domain_ID x 65536 + Area_ID x 256 + Port_ID = 24 bit Address

An example address for and node on the first domain (domain ID of 1), on the first switch (area ID of 0), and the first port (port ID of 1), would be the following:

1 x 65536 + 0 x 256 + 1 = 65537 (Hex: 0x10001)

After the node has completed the FLOGI and has a valid 24-bit fabric address, it will perform a Port Login (PLOGI) to the well-known address of 0xFFFFFC to register its new 24-bit address with the switch's name server, as well as submit information on its 64-bit port WWN, 64-bit node WWN, port type, and class of service. The switch then registers that 24-bit fabric address, along with all the other information submitted, to the name server and replicates that information to other name servers on the switch fabric. Figures 2.14 and 2.15 show the FLOGI and PLOGI processes.

Figure 2.14 FLOGI process.

Figure 2.15 PLOGI process.

A Node Login is somewhat similar to a Fabric Login, but instead of logging in to the fabric, the node would log in to another node directly (node to node communication). The node will not receive any information from the fabric, but will receive information from the other node as it relates to Exchange IDs (OX_ID and RX_ID) and session information (Seq_ID and Seq_CNT). After this information has been exchanged, the two nodes will begin to communicate with each other directly.