[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [cf-dev] Request/Response matching short term concern
|
Okay, there appears to be still some confusion---at least at my end :)
> Just to be clear, you want to go with strict mode only for non-secure
> connection or for both ? (non-secure and secure) I think for secure
> connection this is desirable to have the token-only matching available (by
> default or by configuration).
I thought the strict and flexible modes will be a feature for 2.x.x, that is, not included in the 1.0.0 release. And for the short term, we pick something fixed and conservative.
> [Hudalla Kai (INST/ESY)] I think it makes sense to provide a way for people to
> use changing IP addresses in a non-DTLS scenario as well.
> If you want to make sure nobody can eavesdrop your data you should use
> DTLS and Simon has done a great job in making session resumption work
> providing exactly this capability to DTLS enabled scenarios with changing
> (client) IP addresses.
>From this, I get that you prefer a flexible mode that ignores the epoch constraint for notifications. This is not compliant with the Observe draft, but if you see this as beneficial for Leshan and other products, we can go this way.
In summary, the short-term solution is to keep token-only matching, implement fully random tokens to fortify against spoofing, and ignore the epoch constraint, right?
