> -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Chris Lonvick (clonvick) > Sent: Friday, June 18, 2010 8:45 PM > To: [email protected] > Subject: [Syslog] Issue 15 - DoS measures > > SECDIR reviewer said: > > Section 5.3 says "Implementations MUST support the denial of service > countermeasures defined by DTLS." That's good but it's not clear > whether this means that these countermeasures MUST always be enabled. > Since that is not explicitly stated, it seems that a server could > have those countermeasures enabled by default and a client could > have them disabled by default. That would result in a client and > server that would not interoperate until the administrator tracked > down the problem and changed their configuration. I suggest that > the document be changed to require not only that implementations > support these countermeasures but that they be enabled by default. > [Joe] The countermeasures are always supported, it's up to the server whether to invoke them or not, the client will always follow the protocol. I don't think there is an interoperability problem here. This is probably a case where we discuss too much DTLS details in the draft. I would suggest changing:
OLD: When these countermeasures are enabled, the transport receiver responds with a DTLS Hello Verify Request containing a cookie. New: When these countermeasures are used, the transport receiver responds with a DTLS Hello Verify Request containing a cookie. Joe > My response was: > "Good catch." > > ACTION: Comments? > > Thanks, > Chris > _______________________________________________ > Syslog mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/syslog _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
