Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

peer address update checks #65

Closed
wants to merge 2 commits into from
Closed

peer address update checks #65

wants to merge 2 commits into from

Conversation

thomas-fossati
Copy link
Collaborator

A first attempt to address #64 , as per discussion with Achim.

@ekr
Copy link
Contributor

ekr commented Jun 1, 2019

I think the first paragraph of this PR is fine, but the rest is out of scope.

The agreed upon intent of this draft is simply to allow flow identification, not to provide a generic address migration facility. That is a complicated topic that should be out of scope here.

@boaks
Copy link
Collaborator

boaks commented Jun 2, 2019
edited
Loading

I would prefer / appreciate, if the parts after the first paragraph would start with explaining the vulnerability and the attack, which may use it. That would setup the right scope for understanding, when a mitigation is required to protect other systems.

In the discussion #64 I tried to point out, that I would prefer to leave the mitigation to the using system and just mention the "heartbeat" as one solution.
As I wrote in a comment above, I'm not sure, if introducing "tls12_cid for empty cid" will pay off. May be you can provide us the scenario, where the request requires tls12_cid as well.

@thomas-fossati
Addressing EKR’s comment.
d3ae9a6 
- Remove heartbeat based address validation -- I’ll probably write
  up the the proposal in a separate draft;

- Push peer validation up in the stack by RECOMMENDing that
  implementations expose peer address updates to their user.
@jsalowey
Copy link

We don't have consensus for all of this text. I think the proposal is to address tis in a separate document. Can we close this PR?

@thomas-fossati
Copy link
Collaborator Author

thomas-fossati commented Jun 25, 2019
edited
Loading

We don't have consensus for all of this text. I think the proposal is to address tis in a separate document. Can we close this PR?

The current version of this PR has expunged the text that outlined an address validation sub-protocol. This can and will be sketched separately. What is left here is just a description of what the problem is and what a receiver must do to counter at least two possible attacks using simple unilateral measures. I'm not sure what is controversial?

@boaks
Copy link
Collaborator

boaks commented Jun 26, 2019

I would prefer, if the risk of the "man-in-the-middle" explicitly states, that

  • it's a risk to be misused to attack other systems
    (the own system may attacked by such a "man-in-the-middle" much harder with DoS by just dropping the messages)
  • therefore only applies to large response messages

In my opinion, too general descriptions of risks tend to be misunderstood.

@hannestschofenig
Copy link
Collaborator

This PR has been replaced by text offered in #68

@boaks boaks mentioned this pull request Jul 10, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@boaks boaks boaks left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@thomas-fossati @ekr @boaks @jsalowey @hannestschofenig