[Nfd-dev] Signed Interest processing: alternate to stop-and-wait
Mark Stapp
mjs at cisco.com
Mon Feb 23 09:50:59 PST 2015
I'm sorry - I'm not following how this can be a realistic problem. if
you have an application that serializes its commands, then ... each
command _must_ have some serial number associated with it, yes? that
sort of _must_ be monotonic, so that a receiver can determine whether a
gap has appeared. a timestamp is not a substitute for a monotonic
counter, because the receiver cannot detect a gap immediately. if an
incoming message introduces a gap, the application (or a parameter to
the security library) needs to determine whether that message can be
processed immediately, as if it were idempotent. otherwise, there will
out-of-order processing if any messages are reordered. if "green" is
message #3 and it arrives before the receiver has seen "red" (#2), then
the receiver can't just apply #3, that would be just ... wrong.
-- Mark
On 2/21/15 12:11 AM, Junxiao Shi wrote:
> Hi Lan
>
> The replay attack scenario requires the attacker to have the ability to
> block the transmission of an earlier command.
>
> 1. An legit client sends command "1. set light to red".
> 2. Attacker in the middle intercepts this command, and prevents it from
> being delivered to the light.
> 3. The legit client sends command "2. set light to green".
> 4. Attacker forwards this command to the light.
> 5. Attacker sends the command intercepted in step 2 to the light.
>
>
> Yours, Junxiao
>
> On Tue, Feb 17, 2015 at 1:07 PM, Lan Wang (lanwang) <lanwang at memphis.edu
> <mailto:lanwang at memphis.edu>> wrote:
>
>> A sliding window based validation procedure could be: a signed
>> Interest is accepted if its timestamp is greater than
>> (latestTimestamp - windowSize), and it hasn't been accepted
>> previously.
> If you always check "it hasn't been accepted previously.", how can
> an attacker replay it (below)?
>> The risk is: an attacker can intercept (and block the transmission
>> of) an earlier command, and replay it later.
>
>
>
>
> _______________________________________________
> Nfd-dev mailing list
> Nfd-dev at lists.cs.ucla.edu
> http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
>
More information about the Nfd-dev
mailing list