[TLS] DTLS and failed cookie validation

To: <tls at ietf.org>
Subject: [TLS] DTLS and failed cookie validation
From: <Pasi.Eronen at nokia.com>
Date: Sat, 26 Jul 2008 19:51:41 +0300
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Sender: tls-bounces at ietf.org
Thread-index: AcjvP+Cy5kP5dhe4QP6FY9D3UzUsVA==
Thread-topic: DTLS and failed cookie validation

Hi,

While reading draft-ietf-capwap-protocol-specification-11, I came
across a detail that isn't well specified in DTLS:

RFC 4347 doesn't seem to say what the server should do if it receives
an invalid cookie (which doesn't match the expected value).

My proposal would be to treat this the same as a request with no
cookie at all. (The original IKEv2 RFC also omitted this detail. When
writing RFC 4718 we concluded that other approaches, such as silently
discarding the whole request, could create strange failure modes even
in the absence of any malicious attackers, and wouldn't really provide
any additional DoS protection.)

Best regards,
Pasi


_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Prev by Date: Re: [TLS] Alignment of the TLS/DTLS header
Next by Date: Re: [TLS] Alignment of the TLS/DTLS header
Previous by thread: [TLS] Alignment of the TLS/DTLS header
Next by thread: [TLS] comments on draft-urien-tls-keygen-00
Index(es):
- Date
- Thread

[TLS] DTLS and failed cookie validation

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.