[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?

To: Peter Deacon <peterd@iea-software.com>
Subject: Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
From: Alan DeKok <aland@deployingradius.com>
Date: Mon, 21 Feb 2011 11:32:00 +0100
Cc: radiusext@ops.ietf.org
In-reply-to: <alpine.WNT.2.00.1102210208590.2280@SMURF>
References: <064.b5fbc75965f33629034d4be3708706fb@tools.ietf.org> <4D62317D.5090103@deployingradius.com> <alpine.WNT.2.00.1102210151240.2280@SMURF> <4D62396A.6070400@deployingradius.com> <alpine.WNT.2.00.1102210208590.2280@SMURF>
User-agent: Thunderbird 2.0.0.24 (Macintosh/20100228)

Peter Deacon wrote:
> Isn't this what client hello /w cookies and the secure handshakes are
> for? Surely these can't be spoofed so easily?!

  This is assuming you get that far.  My assumption is that maintaining
multiple DTLS sessions for the same {src ip/port dst ip/port}
combination is a bad idea.  I do not know the security implications of
doing it, and I don't think I'm enough of a TLS expert to say.

> What if the session does not exist anymore and the client tries to
> reestablish or it is behind a NAT and there is unlucky synchronization
> of source ports?

  The client can retry.  The server can discard unused sessions.

  It's imperfect.

> You can have both by broadcasting the datagram to both sessions which is
> why I'm asking what the expected behavior in this instance should be.

  I am *very* wary of doing that.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Peter Deacon <peterd@iea-software.com>

References:
- [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: "radext issue tracker" <trac@tools.ietf.org>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Alan DeKok <aland@deployingradius.com>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Peter Deacon <peterd@iea-software.com>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Alan DeKok <aland@deployingradius.com>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Peter Deacon <peterd@iea-software.com>

Prev by Date: Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
Next by Date: Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
Previous by thread: Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
Next by thread: Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
Index(es):
- Date
- Thread