Re: [Mip4] RFC3012bis: Proposal for Issue2-Change5

To: "'mip4@ietf.org'" <mip4@ietf.org>
Subject: Re: [Mip4] RFC3012bis: Proposal for Issue2-Change5
From: Henrik Levkowetz <henrik@levkowetz.com>
Date: Thu, 4 Sep 2003 19:43:47 +0200
Cc: "Ahmad Muhanna" <amuhanna@nortelnetworks.com>, "'Pete McCann'" <mccap@lucent.com>, "Jayshree Bharatia" <jayshree@nortelnetworks.com>
In-reply-to: <F322875B7F4D014E871CDA7810A8FECA01F1F3@zrc2c013.us.nortel.com>
List-help: <mailto:mip4-request@ietf.org?subject=help>
List-id: Mobility for IPv4 <mip4.ietf.org>
List-post: <mailto:mip4@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mip4>,<mailto:mip4-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mip4>,<mailto:mip4-request@ietf.org?subject=unsubscribe>
References: <F322875B7F4D014E871CDA7810A8FECA01F1F3@zrc2c013.us.nortel.com>
Sender: mip4-admin@ietf.org

On Thursday,  4 Sep 2003, Ahmad wrote:

> Hi, Pete,
...
> >  > >  > > 
> >  > >  > > After that, we could add, "To meet the security obligations 
> >  > >  > > outlined in Section 12, the FA SHOULD use one of the already 
> >  > >  > > stored, previously unused challenges when responding to an 
> >  > >  > > unauthenticated Registration Request or Agent Solicitation."
> 
> If we are trying to prevent such DOS attack by NOT INVALIDATING the
> challenge received in RRQ, why not sending that challenge (still valid) back
> in RRP. Is there a problem with that?

I guess there is a rather large conceptual difference in expressing
that a challenge is copied from a received request, and to say that
it is taken from an internally generated, stored value. In the first
case, if this wording is followed by the implementers, it may open
up for buffer overrun attacks, which would be unfortunate.

(There may be other issues with this too, but I'll leave that to Pete)

	Henrik

Attachment: pgp00010.pgp
Description: PGP signature

References:
- RE: [Mip4] RFC3012bis: Proposal for Issue2-Change5
  - From: Ahmad Muhanna

Prev by Date: RE: [Mip4] RFC3012bis: Proposal for Issue2-Change5
Next by Date: RE: [Mip4] RFC3012bis: Proposal for Issue2-Change5
Previous by thread: RE: [Mip4] RFC3012bis: Proposal for Issue2-Change5
Next by thread: RE: [Mip4] RFC3012bis: Proposal for Issue2-Change5
Index(es):
- Date
- Thread

Re: [Mip4] RFC3012bis: Proposal for Issue2-Change5

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.