chrysn
commented
7 years ago Yes, against clients with fake source addresses. (That is not explicitly spelled out in 7252 section 11.3, but the general attack is described there).
.well-known/core is one application, another are resource directories. Another might be any security setup -- EDHOC messages 2 don't seem much larger than messages 2 from a glance over their contents; could an amplification attack be attempted against ACE servers?
I've added a short summary of the attack in f07a67b8f8, and reduced the "For this application, the Repeat option is used" to "can be used without integrity protection" (because a party that has a security context can be an attacker just as well).
Please close if clarified sufficiently.
gselander
If I understand right, the protection here is against clients which make requests claiming to come from other clients. Maybe we should motivate why it is allowed to make these requests without security in the first place. Is the main application /.well-known/core?