Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?

[Peter Deacon <peterd@iea-software.com>]

On Mon, 21 Feb 2011, Alan DeKok wrote:

> radext issue tracker wrote:
> > #65: Multiple dtls sessions in a tuple?

> >  Section 4.1 does not provide guidance regarding what to do when there is a
> >  new session established against a tuple having an existing session.

> >  Can it maintain multiple sessions and broadcast any subsequent datagrams
> >  or does it automatically trigger discard of the previous session(s)?

>  Session initiation packets have no security or authentication, and can
> this be spoofed.  I think that the new packet should be discarded.

Imagine my table has an entry:

SP  SA          DP   DA          DTLS
333 10.20.30.40 1812 10.0.0.1    Old-Session-Lives-Here

Now from the same source port and address comes a brand new yet 
valid request to start yet another session.

But there is already a valid session in the table...  Are you saying the 
behavior should be to not accept the establishment of the new session?

I would think the new session would have the same security and spoof 
protections as the initial (Old-Session-Lives-Here) session since it is 
doing the same thing it did before?

regards,
Peter

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>