[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue 9.1) DoS attack using global <lock>

To: Andy Bierman <abierman@cisco.com>
Subject: Re: Issue 9.1) DoS attack using global <lock>
From: Eliot Lear <lear@cisco.com>
Date: Fri, 05 Dec 2003 08:40:17 -0800
Cc: netconf@ops.ietf.org
In-reply-to: <4.3.2.7.2.20031202160844.027568e0@fedex.cisco.com>
References: <4.3.2.7.2.20031202160844.027568e0@fedex.cisco.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031121

Andy,

Obviously 9.1 and 9.2 are related. So long as we note this in the security considerations, because the individual who is screwing up the lock is authenticated, I'm not even sure we need a <steal-lock> command to get around it.

Andy Bierman wrote:

A DoS attack is possible if global lock allows users to lock more of the config dB than they have write access. Choose one of: - Only users with all-access can lock the dB - Only grant lock for areas that write-access is allowed - Support partial locks - Simply document the problem in the security section
--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>


--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

Follow-Ups:
- Re: Issue 9.1) DoS attack using global <lock>
  - From: Andy Bierman <abierman@cisco.com>

References:
- Issue 9.1) DoS attack using global <lock>
  - From: Andy Bierman <abierman@cisco.com>

Prev by Date: Re: Issue 6.1) SOAP Proxy
Next by Date: Re: Issue 6.1) SOAP Proxy
Previous by thread: Issue 9.1) DoS attack using global <lock>
Next by thread: Re: Issue 9.1) DoS attack using global <lock>
Index(es):
- Date
- Thread