| Re: Issue 180: Inconsistency of Session ID length | <– Date –> <– Thread –> |
From: Pat Calhoun (pacalhou) (pcalhoun cisco.com)
|
|
| Date: Fri, 12 Sep 2008 15:49:52 -0700 (PDT) | |
Here is the new proposed text. There is a change to the message element
definition itself, and a change from 64-bits to 128-bits in section
12.2.
<proposed text>
4.6.36. Session ID
The Session ID message element value contains a randomly generated
unsigned 128-bit integer.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Session ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Session ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Session ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Session ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type: 35 for Session ID
Length: 32
Session ID: A 128-bit unsigned integer used as a random session
identifier
12.2. Session ID Security
[...]
It should be noted that when the CAPWAP data channel is unencrypted,
the WTP Session ID is exposed and possibly known to adversaries and
other WTPs. This would allow the forgery of the source of data-
channel traffic. This, however, should not be a surprise for
unencrypted data channels. When the data channel is encrypted, the
Session ID is not exposed, and therefore can safely be used to
associate a data and control channel. The 128-bit length of the
Session ID mitigates online guessing attacks where an adversarial,
authenticated WTP tries to correlate his own data channel with
another WTP's control channel. Note that for encrypted data
channels, the Session ID should only be used for correlation for the
first packet immediately after the initial DTLS handshake. Future
correlation should instead be done via identification of a packet's
DTLS session.
</proposed text>
PatC
-----Original Message-----
From: Pat Calhoun (pacalhou)
Sent: Thursday, September 11, 2008 2:38 PM
To: capwap [at] frascone.com
Cc: Yong Zhang
Subject: [Capwap] Issue 180: Inconsistency of Session ID length
All,
Yong Zhang brought up the following to my attention on draft -12. I have
created issue 180 to track this. I consider this a necessary change
since it will impact interoperability. I wonder if we could make this
change post IESG Review.
>
> 3. Does Session ID just take 4 bytes space?
>
> 4.6.36. Session ID
>
> The Session ID message element value contains a randomly generated
> unsigned 32-bit integer.
>
> 0 1 2 3
> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> | Session ID |
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> | Session ID |
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> | Session ID |
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> | Session ID |
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>
>
> Type: 35 for Session ID
>
> Length: 32
>
> Session ID: A 32-bit unsigned integer used as a random session
> identifier
The text should read 32 bytes, not 32 bits. That said, looking at the
draft, section 12.2 claims that the Session ID is really 64 bits. So I
am going to change it to 32 bytes, and change section 12.2 to 128 bits.
PatC
_________________________________________________________________
To unsubscribe or modify your subscription options, please visit:
http://lists.frascone.com/mailman/listinfo/capwap
Archives: http://lists.frascone.com/pipermail/capwap
-
Issue 180: Inconsistency of Session ID length Pat Calhoun (pacalhou), September 11 2008
- Re: Issue 180: Inconsistency of Session ID length Pat Calhoun (pacalhou), September 12 2008
Results generated by Tiger Technologies using MHonArc.