Re: [PATCH] The current behaviour of hostapd_das_find_sta() is undesirable as it can result in over broad, potentially insecure matching.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Mar 06, 2016 at 04:16:06PM +0000, Nick Lowe wrote:
> The current behaviour of hostapd_das_find_sta() is undesirable
> as it can result in over broad, potentially insecure matching.

Could you please describe in detail why this is undesirable and what
exactly would be "potential insecure"?

> It is best is to define an order of precedence for session identifying
> attributes, based on their specificity, and to match only by the most
> specific attribute that is present in a CoA-Request or
> Disconnect-Request packet.

What is this based on? RFC 5176 is pretty clear on mandating _all_ the
specified attributes matching. This patch would not be compliant with
that.

RFC 5176, Chapter 3. Attributes:

   In Disconnect-Request and CoA-Request packets, certain attributes are
   used to uniquely identify the NAS as well as user session(s) on the
   NAS.  The combination of NAS and session identification attributes
   included in a CoA-Request or Disconnect-Request packet MUST match at
   least one session in order for a Request to be successful; otherwise
   a Disconnect-NAK or CoA-NAK MUST be sent.  If all NAS identification
   attributes match, and more than one session matches all of the
   session identification attributes, then a CoA-Request or Disconnect-
   Request MUST apply to all matching sessions.

> This order of precedence should be:
> 
> Acct-Session-Id (Session)
> Acct-Multi-Session-Id (Session)
> Calling-Station-Id (Station)
> Chargeable-User-Identity (User)
> User-Name (User)

It is up to the DAC to decide which filtering rules (and these are ANDed
together) to use. If it knows Acct-Session-Id and Acct-Multi-Session-Id
are supported, those should really be used.

> Of particular concern is that the EAP outer identity, typically used
> to populate the User-Name can often be anonymised in a way that spoofs
> another active user.

Sure, I would not a DAC to use User-Name with EAP authentication. Still,
I see no reason to change DAS implementation for this, i.e., this is
something to guide on the DAC side..

> Where we are given a specific CoA-Request or Disconnect-Request
> packet, we should handle it as being such.

As far as I can tell, the current implementation complies with the RFC
5176 requirements. You would need to provide quite a bit more
justification to change that to something non-compliant.

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux