Ashok, As far as I remember during the discussion in the past, the minimum state does not have to be maintained per-session basis. For example, a PAA implementation can use a random seed that is valid during a short period of time and is shared among multiple PaCs sending PCIs during that peiod. From the random seed, initial sequence number and session id can be calculated by hashing the seed with PaC-specific information obtained from IP header such as PaC’s IP address, etc. This way, maintaining per-session state can be avoided during stateless handshake without use of a Cookie AVP.
Regards, Yoshihiro Ohba From: Pana [mailto:pana-boun...@ietf.org] On Behalf Of Raja ashok Sent: Saturday, August 20, 2016 8:12 PM To: basavaraj.pa...@nokia.com; alper.ye...@yegin.org; jari.ar...@piuha.net; Pana@ietf.org Subject: [Pana] Doubt regarding Stateless response to PCI msg Hi All, I am having a small doubt in PANA handshake of RFC 5191. Can you please clarify me. PAA can respond to PCI msg in a stateless manner, by sending Cookie (as new AVP) in 1st PAR msg (similar to DTLS). This Cookie AVP was there in initial draft of RFC 5191, but in final RFC it is not there. When I searched the mail list I got the below reason for removing Cookie AVP. But Still the suggested mechanism requires a state to be maintained with minimal information(Cookie, Initial seq, session ID). But this is still vulnerable to a DoS attack by flooding PCI msg. So My doubt is, Is there any security loophole, if a Vendor specific Cookie AVP is used instead of minimal state maintenance. Please clarify my doubt. $ Info from Old mail chain: $ #2 Stateless handshake $ * Simplification of the stateless handshake - Removal of L-bit ? $ - Need to keep a minimum state to be maintained (cookie, initial seq) $ - Adding PSR retransmission to this state is not a big issue $ * Solution: $ - Remove distinction between stateless and stateful $ - Remove cookie avp $ - Remove L-flag $ - PSR re-transmission may be turned off if PAA wants to be stateless Regards, Ashok ________________________________ Raja Ashok V K 华为技术有限公司 Huawei Technologies Co., Ltd. [Company_logo] Phone: Fax: Mobile: Email: 地址:深圳市龙岗区坂田华为基地 邮编:518129 Huawei Technologies Co., Ltd. Bangalore, India. http://www.huawei.com ________________________________ 本邮件及其附件含有华为公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁 止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中 的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件! This e-mail and its attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!
_______________________________________________ Pana mailing list Pana@ietf.org https://www.ietf.org/mailman/listinfo/pana
