Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Preconditions for accepting address update events #69

Closed
boaks opened this issue Jul 10, 2019 · 4 comments
Closed

Preconditions for accepting address update events #69

boaks opened this issue Jul 10, 2019 · 4 comments

Comments

@boaks
Copy link
Collaborator

boaks commented Jul 10, 2019
edited
Loading

Security and Privacy Considerations

The part

When a record with CID is received that has the source address of the enclosing
UDP datagram different from the one previously associated with that CID, the
receiver MUST NOT update its view of the peer’s address with the source
specified in the UDP packet before cryptographically validating the enclosed
record(s). This is to ensure that a man-on-the-side attacker that sends a
packet with a different source address on an existing CID session does not
successfully manage to reroute any return traffic.

of PR #65 didn't made to the draft, or did I miss it?

In the meantime, I would even go further:
Applying MAC and Anti-Replay may validates the record cryptographically, and so the receive windows may be updated and the application data may be forwarded. But, if the epoch/sequence_number is not newer than the newest successfully validate epoch/sequence_number before, the address update event itself may be wrong! Assuming, that a address-change is located somewhere on the message's route, it seems to be not possible to distinguish, if the message was delayed after the "address change" (and so that address is deprecated) or before that (and so the address would be the new one). If that could not be decided, I would go for updating the address only for newer records.
Using that approach, updating the address only for newer records (based on epoch/sequence_number) with validated MAC, would also mitigate the first two attacks of issue #64, though retransmitting an record with changed address will not update the address, because these records are NOT newer.
This was referenced Jul 10, 2019
Open
Closed
@boaks boaks mentioned this issue Jul 18, 2019
Closed
@hannestschofenig
Copy link
Collaborator

I have updated the text of #70 and was wondering whether it captures your issue. I am not sure what steps I have to take to meet your requirements.

@boaks boaks mentioned this issue Aug 13, 2019
Merged
@boaks
Copy link
Collaborator Author

boaks commented Aug 13, 2019
edited
Loading

As long as RFC6347, 4.1.2.6 - anti replay doesn't get mandatory (MUST), everything for me will be OK.

So, yes, PR #70 addresses it in the right way.

@thomas-fossati
Copy link
Collaborator

It looks like #70 closes this issue?

@boaks
Copy link
Collaborator Author

boaks commented Oct 21, 2019

Thanks!

@boaks boaks closed this as completed Oct 21, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hannestschofenig @thomas-fossati @boaks