t2trg / t2trg-amplification-attacks

Other
3 stars 0 forks source link

An address can be validated with a security protocol like DTLS, TLS, OSCORE #6

Open emanjon opened 1 year ago

emanjon commented 1 year ago

John Preuß Mattsson commented on Feb 8, 2022 EricssonResearch/coap-actuators#15

I think this is only true for TLS and DTLS without connection ID

I will update the text and likely make a figure.

emanjon commented 1 year ago

Achim Kraus @boaks commented on Feb 9, 2022 EricssonResearch/coap-actuators#15

Let me add, that the "address validation" has different aspects.

Using (upcoming) RFC9146 the source identity of the peer (given by the cid) is verified by the MAC. What is not (longer) verified is the source ip-address. So the uncertainness here is not about the received data, it's about the source ip-address to send back data. If some data is sent back (encrypted), it's doesn't introduce a new leaking risk. What is added as risk is the possibility of being misused for an amplification attack. In difference to the more common proactive DDoS threats (attacker is able to initiate sending records with manipulated source addresses), this one is a passive one (attacker needs to wait for a valid record and then manipulates the source address). If such a passive attack is really reasonable for DDoS, may be discussed. That depends also on the usage of DTLS CID by a next layer. E.g. with CoAP / NSTART-1, I'm not sure, if enough records are send out to be manipulated and if the responses are large enough to offer amplification. And sometimes implementing protection as RRC or draft-ietf-core-echo-request-tag seems to have the smaller effort than such a discussion.