To:
ietf-provreg@cafax.se
From:
budi@alliance.globalnetlink.com
Date:
Wed, 26 Sep 2001 08:58:36 +0700
In-reply-to:
<3CD14E451751BD42BA48AAA50B07BAD6C5FAAD@vsvapostal3.prod.netsol.com>
Sender:
owner-ietf-provreg@cafax.se
Subject:
RE: Length of Reason String
On 25 Sep 01, at 20:16, Hollenbeck, Scott wrote: > I don't see the relation to sloppy coding or DoS attacks. Hi Scott, I don't mean to say that we shouldn't use strings. And of course we should limit the length. (or shouldn't we?) It's just sloppy coding in the implementation can results in DoS attack (depends on the implementation of course). For example if we limit the length of reason string to 16 chars. Then, I create a nasty server which sends 10.000 chars, eg - this-is-a-very-long-rely-beyond-32-characters-and-i-am-going-to-see- which-implementation-crashes-or-give-me-access-to-their-workstation- wha-ha-haAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... or - the-reason-this-domain-is-not-available-is-because-of-we-say-so-and- there-is-nothing-you-can-do-about-it or + this-domain-is-available-but-pay-me-100-bucks-and-show-me-the-money- first. (like the ones used in many attacks) But that's the implementation side. Nothing[?]/little[?] to do with the spec. It's just that I've seen too many things of this. Gives me the chillies... (or warmth? ;-) -- budi