View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0009246 | Compliance Test Tool (CTT) Unified Architecture | Api Change | public | 2023-11-08 04:47 | 2023-11-08 04:53 |
Reporter | Paul Hunkar | Assigned To | Paul Hunkar | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | assigned | Resolution | open | ||
Summary | 0009246: Reverse Connect: Denial of Service protection not clear | ||||
Description | Part 2 says for Reverse Connect: "... the Client needs to validate that the connection is from an appropriate Server and not a denial of service attack. If the Server does not respond in a timely manner to the open SecureChannel request the Client should close the channel.". This seems to imply that on every transport connection opened by the Server to the Client, the Client needs to go through the whole initiation sequence in Part 6, 7.1.3 Establishing a connection Figure 17, i.e. Open Connection - Reverse Hello - Hello - Acknowledge - Open Secure Channel Request - Open Secure Channel Response (except for CreateSession maybe). But, there is also a text "When a SecureChannel is established, the Server shall immediately create a new socket and sends a new ReverseHello to ensure the Client is able to create another SecureChannel if it is needed.". Why does it say "... if it is needed"? | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Files Affected | |||||
related to | 0009023 | closed | Paul Hunkar | 10000-002: Security | Reverse Connect: Denial of Service protection not clear |
|
I think if a client does not need a connection, it would not listen for new connections and server tcp connects would fail. A server need to retry to see if the client needs a connection. Needs in this context is that the client want to create a conection to the server or want to reconnect to the server or is doing discovery. The client would start to listen as soon as a reconnect, new connect or discovery is needed. A server would try tcp connects but would only succeed if the client is waiting for a connect. |
|
Part 6 needs to state there needs to be a finite number of open unused sockets that get recycled. Also the option of a whitelist of ServerURIs can help with DOS, |
|
May need to clone to Part 2 once the Part 6 update is made. |
|
If the Reverse Connect scenario should support multiple connections & SecureChannels between the same Client and Server, AND if the initiative to opening them should come from the Server, then I think we are missing a flag in the "Reverse Hello" message to distinguish whether 1) The server wants to create a new SecureChannel at this moment, Without the flag, the Client cannot tell what it should do at that moment. |
|
I think there is still a basic missunderstanding. The server has never the initiative to open a secure channel. And the server does not know the client side requirements. The server only knows that there is a client with a hostname or IP and port that potentially want to create one or more SecureChannels with the server. The only difference between normal connect and reverse connect is the step to create the TCP/IP connection |
|
This is not misunderstanding. I know what the spec says, and I understand your explanation, which is one way the spec can be read. I have intentionally started my note with "If ..." so that we can clarify whether the condition of the "If..." is intended to be true or not. You have confirmed that the "If..." condition is, in fact, meant to be false, and that's fine with me. It then confirms my concerns about Denial of Service attacks. And we agreed to clarify the handling of additional Reverse Hello requests and when and how "idle" connections will be dropped. |
|
Clients shall monitor the number of unused sockets per peer IP address. The Client shall immediately close unused sockets if the count exceeds the needs of the Client. An administrator may configure the Client with list of IP addresses which are allowed to establish reverse connections. The Client may build its own list of trusted IP addresses from the IP addresses used by active SecureChannels which have been authenticated. |
|
Updated text: Clients shall monitor the number of unused sockets used to send a ReverseHello but do not have an active SecureChannel per peer IP address. The Client shall immediately close unused these extra sockets if the count exceeds the needs of the Client . An administrator may configure the Client with list of IP addresses which are allowed to establish reverse connections. The Client may build its own list of trusted IP addresses from the IP addresses used by active SecureChannels which have completed the authentication process. |
|
Agreed to reopen in Web meeting to add addtional text. |
|
Added table describing the handshake agreed to in the meeting. |
|
Agreed to 1.05.03 Draft text, but needs 1.04 Errata to close. |
|
DoS for Reverse connect needs to be updated in Part 2 to match. |
|
What I would like to see clarified in Part 2 is this: "... the Client needs to validate that the connection is from an appropriate Server and not a denial of service attack. If the Server does not respond in a timely manner to the open SecureChannel request the Client should close the channel.". After the changes made to Part 6, technically, I think the client is either allowed to verify just the ApplicationUri in ReverseHello message (which can be easily spoofed), and pause ("save the socket") before it needs the SecureChannel. Or, the client can establish the SecureChannel immediately - only which truly verifies that "the connection is from an appropriate Server". Does Part 2 allow the client both of these approaches, or does it mandate that the SecureChannel must be created? Can it be made clearer? |
|
We need to make sure that reverse connect include tets cases for the following open socket, but no reversehello message sent |
Date Modified | Username | Field | Change |
---|---|---|---|
2023-11-08 04:47 | Paul Hunkar | New Issue | |
2023-11-08 04:47 | Paul Hunkar | Status | new => assigned |
2023-11-08 04:47 | Paul Hunkar | Assigned To | => Paul Hunkar |
2023-11-08 04:47 | Paul Hunkar | Issue generated from: 0009023 | |
2023-11-08 04:47 | Paul Hunkar | Note Added: 0020300 | |
2023-11-08 04:47 | Paul Hunkar | Note Added: 0020301 | |
2023-11-08 04:47 | Paul Hunkar | Note Added: 0020302 | |
2023-11-08 04:47 | Paul Hunkar | Note Added: 0020303 | |
2023-11-08 04:47 | Paul Hunkar | Note Added: 0020304 | |
2023-11-08 04:47 | Paul Hunkar | Note Added: 0020305 | |
2023-11-08 04:47 | Paul Hunkar | Note Added: 0020306 | |
2023-11-08 04:47 | Paul Hunkar | Note Added: 0020307 | |
2023-11-08 04:47 | Paul Hunkar | Note Added: 0020308 | |
2023-11-08 04:47 | Paul Hunkar | Note Added: 0020309 | |
2023-11-08 04:47 | Paul Hunkar | Note Added: 0020310 | |
2023-11-08 04:47 | Paul Hunkar | Note Added: 0020311 | |
2023-11-08 04:47 | Paul Hunkar | Note Added: 0020312 | |
2023-11-08 04:47 | Paul Hunkar | Relationship added | related to 0009023 |
2023-11-08 04:48 | Paul Hunkar | Project | 10000-002: Security => Compliance Test Tool (CTT) Unified Architecture |
2023-11-08 04:48 | Paul Hunkar | Category | Spec => Api Change |
2023-11-08 04:53 | Paul Hunkar | Note Added: 0020313 |