| Re: [leshan-dev] Even with DTLS Usage Requests initiated by LWM2M Server get sent to wrong LWM2M client with same IP:Port |
On 10/7/2016 10:31 AM, Maier Daniel (INST/ECS4) wrote:
Hi,
when a request to a LWM2M client, e.g. read request, gets triggered, Leshan looks up the client with the desired endpoint name from the client registry and sends the request to the IP:Port saved there. When this IP:Port gets used by another client in the meantime, e.g. port re-usage of NAT device, the request gets sent to the wrong client. I think without usage of DTLS this behavior is just fine.
However, the same applies also with DTLS. Example:
- client1 registers with Leshan using PSK1
- client2 creates new DTLS session with Leshan/Scandium from same IP:Port but with PSK2 (client does not need to register at LWM2M level)
- server sends read request to client1, however request arrives at client2 (as client2 has IP:Port of client1) and client2 can even decrypt it
Isn’t this a serious security issue? I can’t find anything related to this in the LWM2M Specification.
One way to solve this would be to handover recipient principal somehow to scandium and scandium only sends the message when this is the same as the active DTLS session. Or even more strict handover the DTLS sessionId etc. of the last message received from the according client to scandium (like Scandium CorrelationContext but only the other way around).
Without commenting on the merits of this discussion, I would like to remind the Leshan team that the Eclipse Foundation does have a process for dealing with security vulnerabilities. If you have any questions on how the Foundation staff can help, please contact emo@xxxxxxxxxxx.
Please see https://www.eclipse.org/security/
_______________________________________________
leshan-dev mailing list
leshan-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/leshan-dev