[Standards] Re: [Standards-JIG] XEP0177 - UDP Sessions - Add UDPhandshake

Bruce Campbell b+jabber at bruce-2007.zerlargal.org
Wed Apr 18 15:41:03 CDT 2007


On Tue, 17 Apr 2007, Peter Saint-Andre wrote:

> Justin Karneges wrote:
>> Who cares about the raw UDP transport? :)
> Right. Raw UDP is like the "I'm Feeling Lucky" button.

0177 4.2.1 currently reads:

 	The responder MUST immediately attempt to send data to the IP and
 	port specified in the initiation request. Because delivery of UDP
 	data is not acknowledged, the data SHOULD be sent using the echo
 	protocol (RFC 862 [9]) over the IP address and port specified in
 	the Raw UDP candidate; if the data is echoed back, the recipient
 	would then send a Jingle "content-accept" (or "session-accept")
 	action to the initiator.

If I, as the initiator, have specified some.victim.IP.address and port 7 
(echo) instead of my own, whats to stop the responder from accepting that 
the session is usable and starting to send more than the basic 
verification echo to some.victim.IP.address ?  ( repeat for a lot of JIDs, 
and you've got a basic amplification attack ).

Having the data sent by the responder to the initiator's IP and port 
arrive back via XMPP (<iq><jingle><verify> or somesuch) would be a more 
reliable method of ensuring that the session is workable.

-- 
   Bruce Campbell.



More information about the Standards mailing list