On Jan 28, 2024, at 3:21 PM, Jeffrey Haas <jh...@pfrc.org> wrote: > There's at least two possible ways to address this: > 1. We simply don't worry about periodic re-auth for no-auth or NULL-auth. > We thus don't protect against this attack. If you care about this attack, > use Meticulous Keyed ISAAC and the attack goes away. > 2. We test periodic strong authentication by using a Poll sequence. If we > don't receive a Fin within the Detect Interval with strong auth, compromise > should be expected.
I think that the recommendation should be "if not using strong authentication or ISAAC, then periodically use poll mode". > [1] Yes... the only attack we have in this mode is "keep the session Up when > it might otherwise not be". I expect the usual hilarity when we get to > security area review. Not all attacks have negative effects. I'm reminded of a "buffer overflow" report from many years ago for some of my software. The overflow wasn't a network-based overflow, which would have been worrying. Instead, the report was "it is possible to create configuration file data which results in overflow, which can make the software do things". I think it took about 4 rounds before I manage to get it through that if an attacker can write to the configuration files, he can just *configure* the software to do something. He doesn't need to "exploit" it with an overflow. I that hope that the secdir review can avoid commenting on useless and irrelevant attacks. Alan DeKok.
