Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?

[Alan DeKok <aland@deployingradius.com>]

Peter Deacon wrote:
> Now from the same source port and address comes a brand new yet valid
> request to start yet another session.

  ... which can be trivially spoofed by anyone.

> But there is already a valid session in the table...  Are you saying the
> behavior should be to not accept the establishment of the new session?

  I'm saying that it should prefer to keep an existing session, which
has recently sent signed packets.

> I would think the new session would have the same security and spoof
> protections as the initial (Old-Session-Lives-Here) session since it is
> doing the same thing it did before?

  Once the new session is established, yes.  Until it is established,
no.  The first packet of a new DTLS session has *no* security.

  Allowing new session requests to destroy "live" sessions results in a
trivial DoS attack.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>