On Tue, May 23, 2017 at 9:53 AM, Adam Roach <a...@nostrum.com> wrote:
> On 5/23/17 05:09, Alexey Melnikov wrote:
>
> On Tue, May 23, 2017, at 10:24 AM, Alexey Melnikov wrote:
>
> Hi William,
>
> On 22 May 2017, at 23:14, William Denniss <wdenn...@google.com> wrote:
>
> Section 8.1 makes the statement that "Loopback IP based redirect URIs may
> be susceptible to interception by other apps listening on the same
> loopback interface." That's not how TCP listener sockets work: for any
> given IP address, they guarantee single-process access to a port at any
> one time. (Exceptions would include processes with root access, but an
> attacking process with that level of access is going to be impossible to
> defend against). While mostly harmless, the statement appears to be false
> on its face, and should be removed or clarified.
>
>
> Will be removed in the next update. Thank you.
>
>
> Actually, I disagree with Adam on this, because what he says is OS
> specific. So I think the text is valuable and should stay.
>
> In particular, I think SO_REUSEADDR socket option is widely implemented,
> both on Windows and Linux.
>
>
> Okay, after doing a lot of digging, this appears to be much more
> complicated than it should be [1]. Linux (as of 3.9) does allow multiple
> _listeners_ on a single IP/Address pair (and does load balancing among them
> o_O), but only if they're both using SO_REUSEADDR ("don't do that then"
> would be good advice). Windows allows the kind of hijacking described in
> the document unless SO_EXCLUSIVEADDRUSE is set (and it might be good advice
> in this document to suggest setting it).
>
Thank you Alexey and Adam for the discussion and research!
I've added notes to both the Windows and Linux implementation details
(staged for v12).
> So I'm okay with the paragraph staying in, although I would like to see it
> qualified with "on some operating systems", and would like to see a note
> (probably in section B.3) recommending the use of SO_EXCLUSIVEADDRUSE on
> listening sockets.
>
Added the qualifier "on some operating systems" for the next version.
/a
>
>
> ____
>
> [1] The most comprehensive explanation of facts on the ground that I could
> find is https://stackoverflow.com/questions/14388706/socket-
> options-so-reuseaddr-and-so-reuseport-how-do-they-differ-do-they-mean-t
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
