[AFS3-std] Rx clear identity assertion draft

Derrick Brashear shadow@gmail.com
Tue, 12 Jan 2010 12:43:30 -0500


On Tue, Jan 12, 2010 at 11:56 AM, Tom Keiser <tkeiser@sinenomine.net> wrote=
:
> This is a second call for review of a new Rx security class that
> encapsulates cleartext peer identity assertions in the security
> header. =A0As discussed in Edinburgh, the idea is to reduce the
> probability of race conditions between client and server by asserting
> peer identities (e.g. via transmission of host UUIDs for AFS-3) that
> are independent of the peer's transport address set.
>
> The second major component of this document are changes to multi-homed
> Rx connection semantics. =A0The core problem was that an Rx client would
> drop the IPv4 address which was bound as the peer on the server, and
> then the connection would entirely break (because server responses
> were no longer going to the intended peer), thus stalling the client
> until timeout. =A0This memo proposes a method which allows peers to
> seamlessly transition between address sets. =A0Admittedly, this does
> open cleartext Rx connections up to duplex connection hijacking
> attacks, whereas legacy Rx merely was open to simplex attacks.

Generally, it looks good.
As before, I'm uncertain it's reasonable to cite the kolya Rx spec as
normative given how it's referred to.

The attacks possible on multihome give me pause but given the security
you get with clear, it's almost certain not worth worrying about.

--=20
Derrick