On Wed Jan 25 04:41:29 2012, Evgeniy Khramtsov wrote:
On 25.01.2012 09:30, Mike Wacker wrote:
I saw this in RFC 6120:
"To reduce the possibility of a denial-of-service attack, (a) the
receiving entity SHOULD NOT close the stream with a
<see-other-host/> stream error until after the confidentiality and
integrity of the stream have been protected via TLS or an
equivalent security layer (such as the SASL GSSAPI mechanism), and
(b) the receiving entity MAY have a policy of following redirects
only if it has authenticated the receiving entity. In addition,
the initiating entity SHOULD abort the connection attempt after a
certain number of successive redirects (e.g., at least 2 but no
more than 5)."
Does anyone have any clarification to this section and the
specific DoS threat if TLS (or authentication) does not happen
before <see-other-host>?
Indeed, what problem could occur with unauthenticated redirections?
I thought only Brits were allowed to do sarcasm?
There's one DoS and a general attack:
1) General attack is to spoof the TCP response and redirect to a
server of your choice. Note that TLS prevents the TCP stream
spoofing; authentication also prevents DNS spoofing. This accounts
for the SHOULD NOT and the MAY.
2) Specific DoS is to setup a loop of servers redirecting to each
other. You'd likely spoof into the loop. This would cause a
continuous connection loop. This accounts for the final SHOULD.
Dave.
--
Dave Cridland - mailto:[email protected] - xmpp:[email protected]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
