Missing fordidden error code for Register, Update, De-register, Bootstrap request

OpenMobileAlliance / OMA_LwM2M_for_Developers

OMA LightweightM2M public resources.

http://openmobilealliance.github.io/OMA_LwM2M_for_Developers/

Other

239 stars 52 forks source link

Missing fordidden error code for Register, Update, De-register, Bootstrap request #181

Closed sbernard31 closed 6 years ago

sbernard31 commented 7 years ago

A LWM2M client send a request (Register, Update, De-register, Bootstrap) for a given endpoint using a given DTLS identity (or no identity in clear mode).

Server should check if this endpoint and this DTLS identity match. If it doesn't, it should return 4.03 Forbidden.

But in _OMA-TS-LightweightM2M-V10-20161123, §8.5, the 4.03 Forbidden error code is only available for register request.

dnav commented 7 years ago

For Update and De-register, 4.04 Not found can be used as the registration was never accepted. For Bootstrap Request, it may be useful. But I would not be shocked if the Bootstrap Server returns a 4.00 Bad Request. Actually, most of the time, I silently ignore messages with bad authentication or return a generic error code. Returning a 4.03 Forbidden for Update reveals information to a potential attacker.

Regards,

sbernard31 commented 7 years ago

About Update and De-register, you could try to update or de-register an existing registration with valid DTLS credential which doesn't match this registration. (in this case Not found is not applicable)

If returning Forbidden is a bad practice, then this should not be used on register too. Either we use it for this four requests or we don't use it at all

boaks commented 7 years ago

In case of requests from a client using "coap:" but the client is configured to use DTLS, also "4.01 Unauthorized" may be a choice.

See

https://en.wikipedia.org/wiki/HTTP_403

Generally, the TS could make the specific "security error codes" optional and allow always to return 4.00. Then the LWM2M server operator (or implementor) could decide on their own, if special or general error code is used in case of security violations.

dnav commented 7 years ago

This point is addressed in the LwM2M TS:

7.1.5 Endpoint Client Name The LwM2M specification defines the use of the endpoint client name in the Bootstrap-Request and in the Register messages. Since the endpoint client name is not authenticated at the application layer the LwM2M Server MUST compare the received endpoint client name identifier with the identifier used at the DTLS handshake. This comparison may either be an equality match or may involve a dedicated lookup table to ensure that LwM2M Clients cannot intentionally or due to misconfiguration impersonate other LwM2M Clients. The LwM2M Server MUST respond with a “4.00 Bad Request” to the LwM2M Client if these fields do not match.