[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: C API: minor comments



At 04:49 PM 11/15/99 -0600, Mark Wahl wrote:
>
>> > Implementations of the API SHOULD begin numbering messages with 1, to 
>> > be able to easily distinguish client-generated requests and 
>> > unsolicited
>> > notifications.
>
>> Quite probably a bad idea. It means that the IDs are predictable, making it
>> easier for an attacker to spoof requests or replies. It may not matter as
>> much with LDAP/TCP, but with LDAP/UDP it would.

Replies and Responses can just as easily be spoofed if the IDs are not
predictable.

>> How about suggesting that requests be even and unsolicited notifications be
>> odd?
>
>Unsolicited is zero.  How about this instead:
>
> Implementations of the API SHOULD assign message IDs for client generated
> requests in a range between 1 and 2147483647, to be able to easily 
> distinguish them from unsolicited notifications.

I would suggestion:

  API implementations MUST assign a non-zero message ID for client
  requests.  This ensures that all responses with message ID zero (0)
  will be unsolicited notifications.   Typical API implementations
  increment a counter for each request.

Note: the last sentence is consistent with RFC2251.  If this is
a security risk, I suggest adding a security consideration to
both RFC2251 and this draft stating the applications concerned
about spoofing should utilize a secure transport.

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>