Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?

[Peter Deacon <peterd@iea-software.com>]

On Mon, 21 Feb 2011, Alan DeKok wrote:

> Peter Deacon wrote:
> > Now from the same source port and address comes a brand new yet valid
> > request to start yet another session.

>  ... which can be trivially spoofed by anyone.

Isn't this what client hello /w cookies and the secure handshakes are for? 
Surely these can't be spoofed so easily?!

> > But there is already a valid session in the table...  Are you saying the
> > behavior should be to not accept the establishment of the new session?

>  I'm saying that it should prefer to keep an existing session, which
> has recently sent signed packets.

What if the session does not exist anymore and the client tries to 
reestablish or it is behind a NAT and there is unlucky synchronization of 
source ports?

> > I would think the new session would have the same security and spoof
> > protections as the initial (Old-Session-Lives-Here) session since it is
> > doing the same thing it did before?

>  Once the new session is established, yes.  Until it is established,
> no.  The first packet of a new DTLS session has *no* security.

To be clear... the new session would be established only after the full 
DTLS handshake.  Not just on first packet...

>  Allowing new session requests to destroy "live" sessions results in a
> trivial DoS attack.

You can have both by broadcasting the datagram to both sessions which is 
why I'm asking what the expected behavior in this instance should be.

regards,
Peter

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>