Open sbernard31 opened 10 months ago
It seems that recommended way is a sequence number.
And previously, it was a random.
Do you think that SequenceGenerator should be added and/or maybe use as default ?
If you like to add one, OK. I don't think, it makes sense to use it as default. Anyway, it's easy to define it as application specific default, if someone wants that.
By the way, assuming that such an attack would make only sense say within 24h. How many, say 4 bytes token are emitted usually in 24h per device? What will be the probability, that one of 4 byte tokens are reused within 24h? And just to say, if the DTLS sequence number receive window is enabled, what will be left of that attack?
The API is able to work with a custom implementation of TokenGenerator. If someone is interested, please go for it. In the case someone wants to contribute it, that will be welcome.
I understand that current default TokenGenerator is random based.
Looking at 4.2. Updated Token Processing Requirements for Clients , It seems that recommended way is a sequence number.
Do you think that SequenceGenerator should be added and/or maybe use as default ?