[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?



On Mon, 21 Feb 2011, Alan DeKok wrote:

Peter Deacon wrote:
Now from the same source port and address comes a brand new yet valid
request to start yet another session.

 ... which can be trivially spoofed by anyone.

Isn't this what client hello /w cookies and the secure handshakes are for? Surely these can't be spoofed so easily?!

But there is already a valid session in the table...  Are you saying the
behavior should be to not accept the establishment of the new session?

 I'm saying that it should prefer to keep an existing session, which
has recently sent signed packets.

What if the session does not exist anymore and the client tries to reestablish or it is behind a NAT and there is unlucky synchronization of source ports?

I would think the new session would have the same security and spoof
protections as the initial (Old-Session-Lives-Here) session since it is
doing the same thing it did before?

 Once the new session is established, yes.  Until it is established,
no.  The first packet of a new DTLS session has *no* security.

To be clear... the new session would be established only after the full DTLS handshake. Not just on first packet...

 Allowing new session requests to destroy "live" sessions results in a
trivial DoS attack.

You can have both by broadcasting the datagram to both sessions which is why I'm asking what the expected behavior in this instance should be.

regards,
Peter

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>