View Issue Details

IDProjectCategoryView StatusLast Update
0009246Compliance Test Tool (CTT) Unified ArchitectureApi Changepublic2023-11-08 04:53
ReporterPaul Hunkar Assigned ToPaul Hunkar  
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
Summary0009246: Reverse Connect: Denial of Service protection not clear
Description

Part 2 says for Reverse Connect: "... the Client needs to validate that the connection is from an appropriate Server and not a denial of service attack. If the Server does not respond in a timely manner to the open SecureChannel request the Client should close the channel.".

This seems to imply that on every transport connection opened by the Server to the Client, the Client needs to go through the whole initiation sequence in Part 6, 7.1.3 Establishing a connection Figure 17, i.e. Open Connection - Reverse Hello - Hello - Acknowledge - Open Secure Channel Request - Open Secure Channel Response (except for CreateSession maybe).

But, there is also a text "When a SecureChannel is established, the Server shall immediately create a new socket and sends a new ReverseHello to ensure the Client is able to create another SecureChannel if it is needed.".

Why does it say "... if it is needed"?
It seems to me that in order to provide the denial of service attack mitigation described in Part 2, the client immediately has to create another SecureChannel, so that it can verify that the connection is from the appropriate server. It cannot, for example, wait until this second SecureChannelis needed, because that would allow any number of transport connections be opened by an attacker.

TagsNo tags attached.
Attached Files
image.png (6,074 bytes)   
image.png (6,074 bytes)   
Files Affected

Relationships

related to 0009023 closedPaul Hunkar 10000-002: Security Reverse Connect: Denial of Service protection not clear 

Activities

Matthias Damm

2023-11-08 04:47

reporter   ~0020300

I think if a client does not need a connection, it would not listen for new connections and server tcp connects would fail. A server need to retry to see if the client needs a connection.

Needs in this context is that the client want to create a conection to the server or want to reconnect to the server or is doing discovery.
If a client has all "expected connections" working, there is no need to listen for tcp connects on the server side.

The client would start to listen as soon as a reconnect, new connect or discovery is needed.

A server would try tcp connects but would only succeed if the client is waiting for a connect.

Jim Luth

2023-11-08 04:47

administrator   ~0020301

Part 6 needs to state there needs to be a finite number of open unused sockets that get recycled. Also the option of a whitelist of ServerURIs can help with DOS,

Jim Luth

2023-11-08 04:47

administrator   ~0020302

May need to clone to Part 2 once the Part 6 update is made.

Zbynek Zahradnik

2023-11-08 04:47

reporter   ~0020303

If the Reverse Connect scenario should support multiple connections & SecureChannels between the same Client and Server, AND if the initiative to opening them should come from the Server, then I think we are missing a flag in the "Reverse Hello" message to distinguish whether

1) The server wants to create a new SecureChannel at this moment,
2) The server is opening a "back-up" connection as implied by the sentence "When a SecureChannel is established, the Server shall immediately create a new socket and sends a new ReverseHello to ensure the Client is able to create another SecureChannel if it is needed.

Without the flag, the Client cannot tell what it should do at that moment.
In the first case, it needs to proceed with "Hello" and the full sequence till SecureChannel handshake (and CreateSession etc.)
In the second case, it just needs to check the "Reverse Hello" request, and then sit idle on that connection until "... it is needed".

Matthias Damm

2023-11-08 04:47

reporter   ~0020304

I think there is still a basic missunderstanding.

The server has never the initiative to open a secure channel. And the server does not know the client side requirements.

The server only knows that there is a client with a hostname or IP and port that potentially want to create one or more SecureChannels with the server.
The server tries to offer TCP/IP connections to the client, nothing else.
The client decides if he want to create a SecureChannel and a Session. Never the server.

The only difference between normal connect and reverse connect is the step to create the TCP/IP connection

Zbynek Zahradnik

2023-11-08 04:47

reporter   ~0020305

This is not misunderstanding. I know what the spec says, and I understand your explanation, which is one way the spec can be read. I have intentionally started my note with "If ..." so that we can clarify whether the condition of the "If..." is intended to be true or not. You have confirmed that the "If..." condition is, in fact, meant to be false, and that's fine with me.

It then confirms my concerns about Denial of Service attacks. And we agreed to clarify the handling of additional Reverse Hello requests and when and how "idle" connections will be dropped.

Randy Armstrong

2023-11-08 04:47

administrator   ~0020306

Clients shall monitor the number of unused sockets per peer IP address. The Client shall immediately close unused sockets if the count exceeds the needs of the Client. An administrator may configure the Client with list of IP addresses which are allowed to establish reverse connections. The Client may build its own list of trusted IP addresses from the IP addresses used by active SecureChannels which have been authenticated.

Randy Armstrong

2023-11-08 04:47

administrator   ~0020307

Updated text:

Clients shall monitor the number of unused sockets used to send a ReverseHello but do not have an active SecureChannel per peer IP address. The Client shall immediately close unused these extra sockets if the count exceeds the needs of the Client . An administrator may configure the Client with list of IP addresses which are allowed to establish reverse connections. The Client may build its own list of trusted IP addresses from the IP addresses used by active SecureChannels which have completed the authentication process.

Jim Luth

2023-11-08 04:47

administrator   ~0020308

Agreed to reopen in Web meeting to add addtional text.

Randy Armstrong

2023-11-08 04:47

administrator   ~0020309

Added table describing the handshake agreed to in the meeting.

Jim Luth

2023-11-08 04:47

administrator   ~0020310

Agreed to 1.05.03 Draft text, but needs 1.04 Errata to close.

Jim Luth

2023-11-08 04:47

administrator   ~0020311

DoS for Reverse connect needs to be updated in Part 2 to match.

Zbynek Zahradnik

2023-11-08 04:47

reporter   ~0020312

What I would like to see clarified in Part 2 is this: "... the Client needs to validate that the connection is from an appropriate Server and not a denial of service attack. If the Server does not respond in a timely manner to the open SecureChannel request the Client should close the channel.".
What does "needs to validate.... is from an appropriate Server..."?

After the changes made to Part 6, technically, I think the client is either allowed to verify just the ApplicationUri in ReverseHello message (which can be easily spoofed), and pause ("save the socket") before it needs the SecureChannel. Or, the client can establish the SecureChannel immediately - only which truly verifies that "the connection is from an appropriate Server".

Does Part 2 allow the client both of these approaches, or does it mandate that the SecureChannel must be created? Can it be made clearer?

Paul Hunkar

2023-11-08 04:53

administrator   ~0020313

We need to make sure that reverse connect include tets cases for the following

open socket, but no reversehello message sent
Open Socket and send a different maessage then a reverse hello
ServerUri > 4096 in size
ServerUri - that does not match any server
EndpointUrl > 4096 in size
EndpointUrl that is unknow

Issue History

Date Modified Username Field Change
2023-11-08 04:47 Paul Hunkar New Issue
2023-11-08 04:47 Paul Hunkar Status new => assigned
2023-11-08 04:47 Paul Hunkar Assigned To => Paul Hunkar
2023-11-08 04:47 Paul Hunkar Issue generated from: 0009023
2023-11-08 04:47 Paul Hunkar Note Added: 0020300
2023-11-08 04:47 Paul Hunkar Note Added: 0020301
2023-11-08 04:47 Paul Hunkar Note Added: 0020302
2023-11-08 04:47 Paul Hunkar Note Added: 0020303
2023-11-08 04:47 Paul Hunkar Note Added: 0020304
2023-11-08 04:47 Paul Hunkar Note Added: 0020305
2023-11-08 04:47 Paul Hunkar Note Added: 0020306
2023-11-08 04:47 Paul Hunkar Note Added: 0020307
2023-11-08 04:47 Paul Hunkar Note Added: 0020308
2023-11-08 04:47 Paul Hunkar Note Added: 0020309
2023-11-08 04:47 Paul Hunkar Note Added: 0020310
2023-11-08 04:47 Paul Hunkar Note Added: 0020311
2023-11-08 04:47 Paul Hunkar Note Added: 0020312
2023-11-08 04:47 Paul Hunkar Relationship added related to 0009023
2023-11-08 04:48 Paul Hunkar Project 10000-002: Security => Compliance Test Tool (CTT) Unified Architecture
2023-11-08 04:48 Paul Hunkar Category Spec => Api Change
2023-11-08 04:53 Paul Hunkar Note Added: 0020313