[Standards] Re: [Standards-JIG] XEP0177 - UDP Sessions - Add UDPhandshake
b+jabber at bruce-2007.zerlargal.org
Wed Apr 18 20:41:03 UTC 2007
On Tue, 17 Apr 2007, Peter Saint-Andre wrote:
> Justin Karneges wrote:
>> Who cares about the raw UDP transport? :)
> Right. Raw UDP is like the "I'm Feeling Lucky" button.
0177 4.2.1 currently reads:
The responder MUST immediately attempt to send data to the IP and
port specified in the initiation request. Because delivery of UDP
data is not acknowledged, the data SHOULD be sent using the echo
protocol (RFC 862 ) over the IP address and port specified in
the Raw UDP candidate; if the data is echoed back, the recipient
would then send a Jingle "content-accept" (or "session-accept")
action to the initiator.
If I, as the initiator, have specified some.victim.IP.address and port 7
(echo) instead of my own, whats to stop the responder from accepting that
the session is usable and starting to send more than the basic
verification echo to some.victim.IP.address ? ( repeat for a lot of JIDs,
and you've got a basic amplification attack ).
Having the data sent by the responder to the initiator's IP and port
arrive back via XMPP (<iq><jingle><verify> or somesuch) would be a more
reliable method of ensuring that the session is workable.
More information about the Standards