[AFS3-std] Re: afs3-rxgk-updates for 03

Benjamin Kaduk kaduk@MIT.EDU
Fri, 2 Nov 2012 18:15:40 -0400 (EDT) 

On Thu, 1 Nov 2012, Simon Wilkinson wrote:

>
> On 1 Nov 2012, at 04:08, Benjamin Kaduk wrote:
>
>> On Mon, 29 Oct 2012, Andrew Deason wrote:
>>>
>>> On Thu, 25 Oct 2012 09:58:03 -0400 (EDT)
>>> Benjamin Kaduk <kaduk@MIT.EDU> wrote:
>>>
>>>> commit 8e0451de7dbdc3abb335bffc79e30d7c51d6c78b
>>>> Author: Ben Kaduk <kaduk@mit.edu>
>>>> Date:   Wed Oct 24 17:17:42 2012 -0400
>>>>
>>>>    The value zero is special for (byte)lifetime
>>>
>>
>> That makes sense.  I am not particularly inclined to keep rewording 
>> this part of the document, though, so you'll forgive me if I don't try 
>> to put this view in the document.
>
> I think I'm happy with Ben's reworked wording, too.

It's really Tom Keiser's wording (or nearly so), but glad to see 
agreement.

>
>>>> commit 74bc8de3886728c5ace1a28a4c0eacf0c2d68275
>>>> Author: Ben Kaduk <kaduk@mit.edu>
>>>> Date:   Wed Oct 24 22:22:10 2012 -0400
>>>>
>>>>    Use RXGK_Levels more appropriately
>>> [...]
>>>> @@ -403,7 +403,9 @@ enum RXGK_Level {
>>>>       </t>
>>>>       <t>To reduce the potential for denial of service attacks, servers
>>>>         SHOULD only offer the CombineTokens operation to clients connecting
>>>> -        over an rxgk secured connection.</t>
>>>> +        over an rxgk secured connection. The RXGK_Level of the rxgk
>>>> +        connection does not affect the resiliance against denial of
>>>> +        service attacks.</t>
>
> Actually, this change is incorrect. The RXGK_Level does affect our resilience against denial of service attacks. If the connection level is "clear", then an attacker can make the server perform an arbitrary number of CombineTokens operations by hijacking an existing connection.
>
> I'd proposed adding something like
> "over an rxgk secured connection, with an RXGK_Level of auth or better."

Good point.  I've got in my local copy:
          SHOULD only offer the CombineTokens operation to clients connecting
-        over an rxgk secured connection.</t>
+        over an rxgk secured connection, with an RXGK_Level of RXGK_LEVEL_AUTH
+        or higher.</t>

I'm wavering on higher vs. better (or something else).

-Ben