[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [midcom] MIDCOM-MIB: Timeout for unused midcomRuleEntries
Dear MIDCOM-ers,
As described below, entries in midcomRuleTable (representing the policy
rules) are generated out of the use of midcomSessionTable.
A malicious MIDCOM client could start generating more and more entries in
midcomRuleTable until the resources at the middlebox are exhausted. One way
to prevent MIDCOM clients of doing so, is to associate to each entry in
midcomRuleTable an initial timeout value. So the entry will be removed
automatically if it is not used after timeout expiration (not used is equal
to not writing to midcomRuleAdminStatus.)
This timeout value is currently set to 60 seconds in the MIDCOM MIB module
definition.
As long as nobody has any objection to this timeout value, it is regarded
as accepted.
Martin
--On Dienstag, 15. Juni 2004 22:56 Uhr +0200 Martin Stiemerling
<stiemerling at netlab.nec.de> wrote:
| - Request unused entries in rule table to be written to
| object midcomRuleAdminStatus within 60 seconds.
| Timeout for unused rule entries is aborted only by writing to
| midcomRuleAdminStatus
|
| Freshly generated entries in midcomRuleTable are removed after 60 seconds
| if midcomRuleAdminStatus is not written.
|
| There is already text in midcomSessionRuleNewIndex about this. The
| remaining question is whether the timeout value is appropriate of not.
|
|
| _______________________________________________
| midcom mailing list
| midcom at ietf.org
| https://www1.ietf.org/mailman/listinfo/midcom
_______________________________________________
midcom mailing list
midcom at ietf.org
https://www1.ietf.org/mailman/listinfo/midcom