[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: C API: minor comments
At 04:49 PM 11/15/99 -0600, Mark Wahl wrote:
>
>> > Implementations of the API SHOULD begin numbering messages with 1, to
>> > be able to easily distinguish client-generated requests and
>> > unsolicited
>> > notifications.
>
>> Quite probably a bad idea. It means that the IDs are predictable, making it
>> easier for an attacker to spoof requests or replies. It may not matter as
>> much with LDAP/TCP, but with LDAP/UDP it would.
Replies and Responses can just as easily be spoofed if the IDs are not
predictable.
>> How about suggesting that requests be even and unsolicited notifications be
>> odd?
>
>Unsolicited is zero. How about this instead:
>
> Implementations of the API SHOULD assign message IDs for client generated
> requests in a range between 1 and 2147483647, to be able to easily
> distinguish them from unsolicited notifications.
I would suggestion:
API implementations MUST assign a non-zero message ID for client
requests. This ensures that all responses with message ID zero (0)
will be unsolicited notifications. Typical API implementations
increment a counter for each request.
Note: the last sentence is consistent with RFC2251. If this is
a security risk, I suggest adding a security consideration to
both RFC2251 and this draft stating the applications concerned
about spoofing should utilize a secure transport.
----
Kurt D. Zeilenga <kurt@boolean.net>
Net Boolean Incorporated <http://www.boolean.net/>