[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Protocol: Controls & multi-message operations

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: Protocol: Controls & multi-message operations
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 23 Feb 2005 10:00:16 -0800
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <hbf.20050223mx3r@bombur.uio.no>
References: <hbf.20050223obvr@bombur.uio.no> <6.2.0.14.0.20050223082924.05e1a3e0@mail.openldap.org> <hbf.20050223mx3r@bombur.uio.no>

At 09:03 AM 2/23/2005, Hallvard B Furuseth wrote:
>Kurt D. Zeilenga writes:
>>At 07:39 AM 2/23/2005, Hallvard B Furuseth wrote:
>>>Maybe something like this should be to [Protocol] section 4.1.11
>>>(Controls) or 6 (Security Considerations):
>>>  The Bind requests in a multi-step SASL Bind can have different
>>>  sets of controls.  So can multiple LDAP messages returned in
>>>  response to a single LDAP request.  Such control combinations
>>>  over multiple LDAPMessages may be inconsistent.  Protocol peers
>>>  may need to verify that they make sense instead of just trusting
>>>  the controls of some of the received LDAPMessages.
>>>
>>> At least I imagine one could attack a sloppy server or client by
>>> sending such inconsistent control combinations, though I can't
>>> come up with a concrete example at the moment.
>>
>> I fail to see a security consideration here, or are you
>> just saying that a client or server might send malformed
>> messages to a peer to attack it?
>
>No, I was thinking of messages that are fine in isolation, but with
>controls modify the messages to be processed differently in some way.
>
>Like the server attaching something like a SignedResult control to the
>final response and the client notices that it is signed, forgetting to
>check if each result entry was signed. Except that control doesn't work
>that way as far as I can tell, so it's not a valid example:-)
>Maybe if one could sign Bind messages...
>
>Anyway, I have no objection to dropping the idea.

I rather drop this, namely because I rather not imply that it
appropriate for a control specification to state that
the request control(s) can be attached to only some of the
bind requests of a multi-step SASL bind.  While certainly
the protocol doesn't preclude that, generally that would be
unwise.  Some of this was discussed when RFC 3829 was
being discussed.  That discussion lead to the requirement
(for that request control)
   In a multi-step bind operation, the client
   MUST provide the control with each bind request.

That is, extending Bind operation with controls, in general,
comes with a significant security and other considerations.
However, I don't view these as a [Protocol] issues, but an
extension design issue.... something more suitable for a
document detailing extension practices (e.g.,
draft-zeilenga-ldap-ext or the like).

Kurt

References:
- Protocol: Controls & multi-message operations
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: Protocol: Controls & multi-message operations
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Protocol: Controls & multi-message operations
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: Protocol: Controls & multi-message operations
Next by Date: protocol/authmeth: LDAP PDU vs. TLS PDU
Index(es):
- Chronological
- Thread