« Return to Thread: Issue 15 - DoS measures

Re: Issue 15 - DoS measures

by Joseph Salowey (jsalowey) :: Rate this Message:

> -----Original Message-----
> From: syslog-bounces@... [mailto:syslog-bounces@...] On
Behalf

> Of Chris Lonvick (clonvick)
> Sent: Friday, June 18, 2010 8:45 PM
> To: syslog@...
> Subject: [Syslog] Issue 15 - DoS measures
>
> SECDIR reviewer said:
>
> Section 5.3 says "Implementations MUST support the denial of service
> countermeasures defined by DTLS." That's good but it's not clear
> whether this means that these countermeasures MUST always be enabled.
> Since that is not explicitly stated, it seems that a server could
> have those countermeasures enabled by default and a client could
> have them disabled by default. That would result in a client and
> server that would not interoperate until the administrator tracked
> down the problem and changed their configuration. I suggest that
> the document be changed to require not only that implementations
> support these countermeasures but that they be enabled by default.
>

[Joe] The countermeasures are always supported, it's up to the server
whether to invoke them or not, the client will always follow the
protocol. I don't think there is an interoperability problem here.
This is probably a case where we discuss too much DTLS details in the
draft. I would suggest changing:

OLD:
When these
countermeasures are enabled, the transport receiver responds with a
DTLS Hello Verify Request containing a cookie.

New:

When these
countermeasures are used, the transport receiver responds with a
DTLS Hello Verify Request containing a cookie.

Joe

> My response was:
> "Good catch."
>
> ACTION: Comments?
>
> Thanks,
> Chris
> _______________________________________________
> Syslog mailing list
> Syslog@...
> https://www.ietf.org/mailman/listinfo/syslog

_______________________________________________
Syslog mailing list
Syslog@...
https://www.ietf.org/mailman/listinfo/syslog

« Return to Thread: Issue 15 - DoS measures