[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
Peter Deacon wrote:
> Now from the same source port and address comes a brand new yet valid
> request to start yet another session.
... which can be trivially spoofed by anyone.
> But there is already a valid session in the table... Are you saying the
> behavior should be to not accept the establishment of the new session?
I'm saying that it should prefer to keep an existing session, which
has recently sent signed packets.
> I would think the new session would have the same security and spoof
> protections as the initial (Old-Session-Lives-Here) session since it is
> doing the same thing it did before?
Once the new session is established, yes. Until it is established,
no. The first packet of a new DTLS session has *no* security.
Allowing new session requests to destroy "live" sessions results in a
trivial DoS attack.
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.