[PATCH] The current behaviour of hostapd_das_find_sta() is undesirable as it can result in over broad, potentially insecure matching.

Jouni Malinen j at w1.fi
Sun Mar 6 10:34:49 PST 2016 

On Sun, Mar 06, 2016 at 04:16:06PM +0000, Nick Lowe wrote:
> The current behaviour of hostapd_das_find_sta() is undesirable
> as it can result in over broad, potentially insecure matching.

Could you please describe in detail why this is undesirable and what
exactly would be "potential insecure"?

> It is best is to define an order of precedence for session identifying
> attributes, based on their specificity, and to match only by the most
> specific attribute that is present in a CoA-Request or
> Disconnect-Request packet.

What is this based on? RFC 5176 is pretty clear on mandating _all_ the
specified attributes matching. This patch would not be compliant with
that.

RFC 5176, Chapter 3. Attributes:

   In Disconnect-Request and CoA-Request packets, certain attributes are
   used to uniquely identify the NAS as well as user session(s) on the
   NAS.  The combination of NAS and session identification attributes
   included in a CoA-Request or Disconnect-Request packet MUST match at
   least one session in order for a Request to be successful; otherwise
   a Disconnect-NAK or CoA-NAK MUST be sent.  If all NAS identification
   attributes match, and more than one session matches all of the
   session identification attributes, then a CoA-Request or Disconnect-
   Request MUST apply to all matching sessions.

> This order of precedence should be:
> 
> Acct-Session-Id (Session)
> Acct-Multi-Session-Id (Session)
> Calling-Station-Id (Station)
> Chargeable-User-Identity (User)
> User-Name (User)

It is up to the DAC to decide which filtering rules (and these are ANDed
together) to use. If it knows Acct-Session-Id and Acct-Multi-Session-Id
are supported, those should really be used.

> Of particular concern is that the EAP outer identity, typically used
> to populate the User-Name can often be anonymised in a way that spoofs
> another active user.

Sure, I would not a DAC to use User-Name with EAP authentication. Still,
I see no reason to change DAS implementation for this, i.e., this is
something to guide on the DAC side..

> Where we are given a specific CoA-Request or Disconnect-Request
> packet, we should handle it as being such.

As far as I can tell, the current implementation complies with the RFC
5176 requirements. You would need to provide quite a bit more
justification to change that to something non-compliant.

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list