View Issue Details

IDProjectCategoryView StatusLast Update
000248410000-004: Servicespublic2013-12-10 17:24
ReporterNathan PocockAssigned ToMatthias Damm  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Fixed in Version1.02 
Summary0002484: Automatic closure of idle secure channels (possibly security threat)
Description

Is a server under a potential DoS attack if a Client creates a secure channel and then never uses it to make any UA calls?

What if the client had an IOP problem or malitiously created open channels?

Becuase the stacks maintain a "heartbeat" to keep the channel open we (CMPWG) thought it applicable that a channel automatically close if no UA calls are made within the channel timeout period.

TagsNo tags attached.
Commit Version
Fix Due Date

Activities

Jim Luth

2013-06-11 16:29

administrator   ~0004722

Needs analysis to determine if UA imposes anything that would make it worse than any other typical DOS-aware TCP application.

Possibly we want a much shorter timeout on "unsecure" secure channels.

Matthias Damm

2013-11-25 16:15

developer   ~0005137

Added the following clarification to 5.5.2 OpenSecureChannel

A Server application should limit the number of SecureChannels. To protect against miss behaving Clients and denial of service attacks, the Server shall close the oldest SecureChannels that has no Session assigned before reaching the maximum number of supported SecureChannels.

Resolved in document IEC 62541-4 - Services [Pre-CDV] 1.02.07.doc

Jim Luth

2013-11-25 18:30

administrator   ~0005146

Agreed to changes in doc in telecon. Awaiting Errata to close this issue.

Jim Luth

2013-12-10 17:24

administrator   ~0005183

Agreed to Errata changes

Issue History

Date Modified Username Field Change
2013-06-04 15:43 Nathan Pocock New Issue
2013-06-11 16:29 Jim Luth Note Added: 0004722
2013-06-11 16:30 Jim Luth Status new => assigned
2013-06-11 16:30 Jim Luth Assigned To => Matthias Damm
2013-11-25 16:15 Matthias Damm Status assigned => resolved
2013-11-25 16:15 Matthias Damm Resolution open => fixed
2013-11-25 16:15 Matthias Damm Note Added: 0005137
2013-11-25 18:30 Jim Luth Note Added: 0005146
2013-12-10 17:24 Jim Luth Status resolved => closed
2013-12-10 17:24 Jim Luth Note Added: 0005183
2013-12-10 17:24 Jim Luth Fixed in Version => 1.02