[Pana] Random cookie selection in PANA

Wed, 27 Sep 2006 02:06:05 -0700
I'm copying Donald, as one of the authors of RFC 4086 for advice here. Donald, this is in regard to draft-ietf-pana-pana-12.txt 

This recommendation on selection of the Cookie:


 In order to do that, the cookie MUST be computed in such a way that
 it does not require any per-session state maintenance on the PAA in
 order to verify the cookie returned in the PANA-Start-Answer message.
 The handshake phase that takes advantage of cookies is called
 "stateless handshake".  The exact algorithms and syntax used by the
 PAA to generate cookies does not affect interoperability and hence is
 not specified here.


Seems to be in conflict with:


 The Cookie AVP (AVP Code 3) is used for carrying a random value
 generated by the PAA according to [RFC4086].



Seen elsewhere in the document.


First, there is obvious conflict in that the document says there is no 
recommendation on algorithms in one place, but refers to RFC 4086 in 
another (which clearly does have algorithms to recommend). But more 
importantly, it seems that you are placing requirements on the 
randomness of the cookie value by referencing RFC4086 (which is a good 
thing) while at the same time mandating (with a MUST, no less) specific 
implementation requirements with respect to state at the PAA. I'm not 
sure thatit is even possible to state that the PAA MUST somehow be able 
to verify that it generated a cookie, without state, and still be in 
keeping with RFC 4086 requirements (this is where I would like Donald to 
give advice).



Also, if you are going to reference RFC 4086, I believe you need to 
define what kind of random number you are looking for. To wit, I think 
you are looking for a "Cryptographically Random" value, as you are 
trying to protect against blind guessing attacks here.



Finally, if keeping state at the PAA isn't a big deal for a specific 
implementation, why include this kind of MUST? I think you are getting 
too deep into implementation details with normative language.


- Mark


_______________________________________________
Pana mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/pana






















					Reply via email to