RE: [Bluez-devel] Service level security for RFCOMM

RE: [Bluez-devel] Service level security for RFCOMM

[Bhatt Abhi-ABHATT]

Marcel,

> And btw I got the service level security for incoming RFCOMM channels
> working on my development system and I did it without modifying the
> current state machine and it is hopefully SMP safe. I think we need
> another timer on the server side that kills the connection if nobody
> wants to authenticate, but thats another thing to look at. So someone
> owes me a crate full of beer :)
That is great news!! When do i get to see the code:) I don't know 
where you live or else you would have a crate full of beer delivered to you
right about now:) Thanks a bunch.	

Regards
Abhi

Hi Abhi,

don't forget to use the "Reply to All" button ;)

> > it is the same. I already committed the needed stuff to the CVS and
> > changed rctest to set them. However without a correct kernel the call of
> > setsockopt() will fail.
> I am not clear on what this means. Could you please explain what it is that
> you've added and committed in to CVS ?

I like to say look at my latest changes in the CVS and look at rctest,
but it seems that the anonymous CVS is not in sync with the developer
CVS. Again, this is a Sourceforge problem and I heard of other projects
that had the same problems at the moment.

However, I added RFCOMM_LM and RFCOMM_LM_AUTH resp. RFCOMM_LM_ENCRYPT
with the same values as we used for their L2CAP_* counterparts. So you
can use the setsockopt() with these values to achieve the same effect as
you expect on L2CAP. But without a kernel that knows about RFCOMM_LM the
setsockopt() and getsockopt() calls will fail.

And btw I got the service level security for incoming RFCOMM channels
working on my development system and I did it without modifying the
current state machine and it is hopefully SMP safe. I think we need
another timer on the server side that kills the connection if nobody
wants to authenticate, but thats another thing to look at. So someone
owes me a crate full of beer :)

Regards

Marcel

RE: [Bluez-devel] Service level security for RFCOMM

[Marcel Holtmann]

Hi Abhi,

> > And btw I got the service level security for incoming RFCOMM channels
> > working on my development system and I did it without modifying the
> > current state machine and it is hopefully SMP safe. I think we need
> > another timer on the server side that kills the connection if nobody
> > wants to authenticate, but thats another thing to look at. So someone
> > owes me a crate full of beer :)
> That is great news!! When do i get to see the code:)

my plan is to get out another -mh patch for 2.6.9 after I checked that I
didn't broke the L2CAP part.

> I don't know 
> where you live or else you would have a crate full of beer delivered to you
> right about now:) Thanks a bunch.	

Bring it with you to the UPF-20 :)

Regards

Marcel




-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

RE: [Bluez-devel] Service level security for RFCOMM

[Marcel Holtmann]

Hi Abhi,

don't forget to use the "Reply to All" button ;)

> > it is the same. I already committed the needed stuff to the CVS and
> > changed rctest to set them. However without a correct kernel the call of
> > setsockopt() will fail.
> I am not clear on what this means. Could you please explain what it is that
> you've added and committed in to CVS ?

I like to say look at my latest changes in the CVS and look at rctest,
but it seems that the anonymous CVS is not in sync with the developer
CVS. Again, this is a Sourceforge problem and I heard of other projects
that had the same problems at the moment.

However, I added RFCOMM_LM and RFCOMM_LM_AUTH resp. RFCOMM_LM_ENCRYPT
with the same values as we used for their L2CAP_* counterparts. So you
can use the setsockopt() with these values to achieve the same effect as
you expect on L2CAP. But without a kernel that knows about RFCOMM_LM the
setsockopt() and getsockopt() calls will fail.

And btw I got the service level security for incoming RFCOMM channels
working on my development system and I did it without modifying the
current state machine and it is hopefully SMP safe. I think we need
another timer on the server side that kills the connection if nobody
wants to authenticate, but thats another thing to look at. So someone
owes me a crate full of beer :)

Regards

Marcel




-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

RE: [Bluez-devel] Service level security for RFCOMM

[Bhatt Abhi-ABHATT]

Hi Steve, Marcel,

> > Service level security is required for JSR-82 like Steve pointed it out. 
> > For anyone implementing JSR-82, they would have to add this service level
> > security themselves. It would be most useful to have it as part of bluez
> > rather than have people implement their own way of it. 
> 
> actually you can't implement it in a sane way in userspace, because you
> don't have control over the RFCOMM signalling channel.

> Marcel is right here. You can try and kludge it by trying to enforce the
> security requirements _after_ the connection has been accepted but this
> is pretty horrible (and it's hard to prevent acceptAndOpen() returning a
> connection which is immediately closed).

Sorry for the confusion but I wasn't referring to user space at all. I was thinking of having the rfcomm service level security implemented in almost the same way as the l2cap service level security(incoming connection). The service level security options could be set using setsockopt(..) in rfcomm. This in turn could be used to set the service level settings for the l2cap socket it uses. I can draw a sequence diagram(function calls) to show how i
picture the design. I'll do that.

> > Also, currently there is no service level security in l2cap for 
> > outgoing connections. I would like to know if someone has already 
> > taken a stab at it and if this should be part of bluez in the 
> > future.

> > I've had a look at this recently. If I get time I will have a go at  
> > implementing it.

Steve, I would be interested to know how you intend to implement it.


> You must convince me that this is really needed and a good idea. For 
> what kind of application do you want to use it?

> It's for the same reason as stated above: you don't want the connection to > succeed unless the security requirements can be met. If you have a client > in security mode 2 and a server in security mode 1, you want the server to > see an incoming connection _only_ if authentication/encryption have been 
> successfully performed. You _don't_ want the server to see an incoming 
> connection which is immediately closed.	

Plus JSR-82 requires that service level security should be possible for
outgoing connections. So for anyone trying to implement JSR-82 and using
bluez, it is needed.

Regards
Abhi


Hi Marcel, Abhi,

On Fri, 2004-10-29 at 15:47, Marcel Holtmann wrote:
> > Service level security is required for JSR-82 like Steve pointed it out. 
> > For anyone implementing JSR-82, they would have to add this service level
> > security themselves. It would be most useful to have it as part of bluez
> > rather than have people implement their own way of it. 
> 
> actually you can't implement it in a sane way in userspace, because you
> don't have control over the RFCOMM signalling channel.

Marcel is right here. You can try and kludge it by trying to enforce the
security requirements _after_ the connection has been accepted but this
is pretty horrible (and it's hard to prevent acceptAndOpen() returning a
connection which is immediately closed).

> > Marcel, if you recall, we've exchanged an email regarding service level security. At that point, you had mentioned thinking about a security manager embedded in bluez that would allow it.
> 
> This is a little bit different, because this is more basic stuff. You
> need to integrate the trigger points of the Bluetooth security mechanism
> into the RFCOMM layer. And actually the state machine of RFCOMM is more
> complex than the one of L2CAP. For me it is not clear at the moment what
> is the best thing to do without breaking anything.
> 
> So the question still stands. Should we already force authentication
> when the peer sends PN CMD?

Actually p412 in the SPEC (v1.1) says:

"On the responding side, if authentication procedures are triggered from
RFCOMM, this must only be done when receiving a SABM frame, not when
receiving configuration commands preparing an unopened DLC (Erratum
1052)."

> > I am currently working on implementing JSR-82 which requires this level 
> > of security. If anyone has already implemented or has a good way of doing it,
> > please let me know. I would be very interested.
> 
> As mentioned above the only way is inside the kernel, because otherwise
> you will trigger after the MSC exchange and this is too late.
> 
> > Also, currently there is no service level security in l2cap for outgoing
> > connections. I would like to know if someone has already taken a stab at it
> > and if this should be part of bluez in the future. 

I've had a look at this recently. If I get time I will have a go at
implementing it.

> You must convince me that this is really needed and a good idea. For
> what kind of application do you wanna use it?

It's for the same reason as stated above: you don't want the connection
to succeed unless the security requirements can be met. If you have a
client in security mode 2 and a server in security mode 1, you want the
server to see an incoming connection _only_ if authentication/encryption
have been successfully performed. You _don't_ want the server to see an
incoming connection which is immediately closed.

Regards,
Steve
-- 
Stephen Crane, Rococo Software Ltd. http://www.rococosoft.com
steve.crane@rococosoft.com +353-1-6601315 (ext 209)

RE: [Bluez-devel] Service level security for RFCOMM

[Stephen Crane]

Hi Abhi,

On Fri, 2004-10-29 at 16:35, Bhatt Abhi-ABHATT wrote:

> Sorry for the confusion but I wasn't referring to user space at all. I was thinking of having the rfcomm service level security implemented in almost the same way as the l2cap service level security(incoming connection). The service level security options could be set using setsockopt(..) in rfcomm. This in turn could be used to set the service level settings for the l2cap socket it uses. I can draw a sequence diagram(function calls) to show how i
> picture the design. I'll do that.

I think that from the user-space's point of view, the interface should
be identical. (In fact I think this is already supported, just not
acted-upon: you do setsockopt(sock, SOL_RFCOMM, ...).)

> > > Also, currently there is no service level security in l2cap for 
> > > outgoing connections. I would like to know if someone has already 
> > > taken a stab at it and if this should be part of bluez in the 
> > > future.
> 
> > > I've had a look at this recently. If I get time I will have a go at  
> > > implementing it.
> 
> Steve, I would be interested to know how you intend to implement it.

I will need to revisit my notes. It's been a while and I've forgotten
:-(

> Plus JSR-82 requires that service level security should be possible for
> outgoing connections. So for anyone trying to implement JSR-82 and using
> bluez, it is needed.

This is a bit strong: p42 of the JSR-82 spec states that "Not all
Bluetooth systems support authentication [...]". Thus you _can_ conform
to JSR-82 without this. However it's nice to have :-)

> Regards
> Abhi

Cheers,
Steve
-- 
Stephen Crane, Rococo Software Ltd. http://www.rococosoft.com
steve.crane@rococosoft.com +353-1-6601315 (ext 209)

RE: [Bluez-devel] Service level security for RFCOMM

[Marcel Holtmann]

Hi Steve,

> > Sorry for the confusion but I wasn't referring to user space at all. I was thinking of having the rfcomm service level security implemented in almost the same way as the l2cap service level security(incoming connection). The service level security options could be set using setsockopt(..) in rfcomm. This in turn could be used to set the service level settings for the l2cap socket it uses. I can draw a sequence diagram(function calls) to show how i
> > picture the design. I'll do that.
> 
> I think that from the user-space's point of view, the interface should
> be identical. (In fact I think this is already supported, just not
> acted-upon: you do setsockopt(sock, SOL_RFCOMM, ...).)

it is the same. I already committed the needed stuff to the CVS and
changed rctest to set them. However without a correct kernel the call of
setsockopt() will fail.

Regards

Marcel




-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

RE: [Bluez-devel] Service level security for RFCOMM

[Marcel Holtmann]

Hi Abhi,

> > Marcel is right here. You can try and kludge it by trying to enforce the
> > security requirements _after_ the connection has been accepted but this
> > is pretty horrible (and it's hard to prevent acceptAndOpen() returning a
> > connection which is immediately closed).
> 
> Sorry for the confusion but I wasn't referring to user space at all. I was thinking of having the rfcomm service level security implemented in almost the same way as the l2cap service level security(incoming connection). The service level security options could be set using setsockopt(..) in rfcomm. This in turn could be used to set the service level settings for the l2cap socket it uses. I can draw a sequence diagram(function calls) to show how i
> picture the design. I'll do that.

not needed, because it won't work this way. The L2CAP layer has nothing
to do with it, you must interface with the HCI layer.

Regards

Marcel




-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

RE: [Bluez-devel] Service level security for RFCOMM

[Bhatt Abhi-ABHATT]

Marcel,

Service level security is required for JSR-82 like Steve pointed it out. 
For anyone implementing JSR-82, they would have to add this service level
security themselves. It would be most useful to have it as part of bluez
rather than have people implement their own way of it. 

Marcel, if you recall, we've exchanged an email regarding service level security. At that point, you had mentioned thinking about a security manager embedded in bluez that would allow it.

I am currently working on implementing JSR-82 which requires this level 
of security. If anyone has already implemented or has a good way of doing it,
please let me know. I would be very interested.

Also, currently there is no service level security in l2cap for outgoing
connections. I would like to know if someone has already taken a stab at it
and if this should be part of bluez in the future. 

Regards
Abhi


> actually it seems that nobody really cares about service level security
> on the RFCOMM layer. Or people are too lazy to send in a patch. However,
> I spent some hours with thinking about it and the core stuff of a small
> framework for providing authentication and encrypt feedback from HCI to
> higher level protocols is finished.

Perhaps this is because no-one except you and Max understands the RFComm
state-machine? :-)

> The problem now is to change the RFCOMM state machine to deal with it
> and reject connections in the failure case. After looking at the state
> machine of RFCOMM, I realized that there are two posibilities when to
> trigger the authentication. One is after we receive the PN CMD and the
> other after the SABM for the specific channel. The specification says
> nothing about that. What are the pros and cons?
> 
> And btw, who is really interested in this feature or needs it?

This is useful (and probably required, I can't remember) for JSR-82.
Especially for people who want to encrypted/authenticated OBEX
connections.

Are you going to do the client-side too?

Steve
-- 
Stephen Crane, Rococo Software Ltd. http://www.rococosoft.com
steve.crane@rococosoft.com +353-1-6601315 (ext 209)



-------------------------------------------------------
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

RE: [Bluez-devel] Service level security for RFCOMM

[Marcel Holtmann]

Hi Abhi,

> Service level security is required for JSR-82 like Steve pointed it out. 
> For anyone implementing JSR-82, they would have to add this service level
> security themselves. It would be most useful to have it as part of bluez
> rather than have people implement their own way of it. 

actually you can't implement it in a sane way in userspace, because you
don't have control over the RFCOMM signalling channel.

> Marcel, if you recall, we've exchanged an email regarding service level security. At that point, you had mentioned thinking about a security manager embedded in bluez that would allow it.

This is a little bit different, because this is more basic stuff. You
need to integrate the trigger points of the Bluetooth security mechanism
into the RFCOMM layer. And actually the state machine of RFCOMM is more
complex than the one of L2CAP. For me it is not clear at the moment what
is the best thing to do without breaking anything.

So the question still stands. Should we already force authentication
when the peer sends PN CMD?

> I am currently working on implementing JSR-82 which requires this level 
> of security. If anyone has already implemented or has a good way of doing it,
> please let me know. I would be very interested.

As mentioned above the only way is inside the kernel, because otherwise
you will trigger after the MSC exchange and this is too late.

> Also, currently there is no service level security in l2cap for outgoing
> connections. I would like to know if someone has already taken a stab at it
> and if this should be part of bluez in the future. 

You must convince me that this is really needed and a good idea. For
what kind of application do you wanna use it?

Regards

Marcel




-------------------------------------------------------
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

RE: [Bluez-devel] Service level security for RFCOMM

[Stephen Crane]

Hi Marcel, Abhi,

On Fri, 2004-10-29 at 15:47, Marcel Holtmann wrote:
> > Service level security is required for JSR-82 like Steve pointed it out. 
> > For anyone implementing JSR-82, they would have to add this service level
> > security themselves. It would be most useful to have it as part of bluez
> > rather than have people implement their own way of it. 
> 
> actually you can't implement it in a sane way in userspace, because you
> don't have control over the RFCOMM signalling channel.

Marcel is right here. You can try and kludge it by trying to enforce the
security requirements _after_ the connection has been accepted but this
is pretty horrible (and it's hard to prevent acceptAndOpen() returning a
connection which is immediately closed).

> > Marcel, if you recall, we've exchanged an email regarding service level security. At that point, you had mentioned thinking about a security manager embedded in bluez that would allow it.
> 
> This is a little bit different, because this is more basic stuff. You
> need to integrate the trigger points of the Bluetooth security mechanism
> into the RFCOMM layer. And actually the state machine of RFCOMM is more
> complex than the one of L2CAP. For me it is not clear at the moment what
> is the best thing to do without breaking anything.
> 
> So the question still stands. Should we already force authentication
> when the peer sends PN CMD?

Actually p412 in the SPEC (v1.1) says:

"On the responding side, if authentication procedures are triggered from
RFCOMM, this must only be done when receiving a SABM frame, not when
receiving configuration commands preparing an unopened DLC (Erratum
1052)."

> > I am currently working on implementing JSR-82 which requires this level 
> > of security. If anyone has already implemented or has a good way of doing it,
> > please let me know. I would be very interested.
> 
> As mentioned above the only way is inside the kernel, because otherwise
> you will trigger after the MSC exchange and this is too late.
> 
> > Also, currently there is no service level security in l2cap for outgoing
> > connections. I would like to know if someone has already taken a stab at it
> > and if this should be part of bluez in the future. 

I've had a look at this recently. If I get time I will have a go at
implementing it.

> You must convince me that this is really needed and a good idea. For
> what kind of application do you wanna use it?

It's for the same reason as stated above: you don't want the connection
to succeed unless the security requirements can be met. If you have a
client in security mode 2 and a server in security mode 1, you want the
server to see an incoming connection _only_ if authentication/encryption
have been successfully performed. You _don't_ want the server to see an
incoming connection which is immediately closed.

Regards,
Steve
-- 
Stephen Crane, Rococo Software Ltd. http://www.rococosoft.com
steve.crane@rococosoft.com +353-1-6601315 (ext 209)

RE: [Bluez-devel] Service level security for RFCOMM

[Marcel Holtmann]

Hi Steve,

> > So the question still stands. Should we already force authentication
> > when the peer sends PN CMD?
> 
> Actually p412 in the SPEC (v1.1) says:
> 
> "On the responding side, if authentication procedures are triggered from
> RFCOMM, this must only be done when receiving a SABM frame, not when
> receiving configuration commands preparing an unopened DLC (Erratum
> 1052)."

this is a clear statement. Thanks for pointing this out.

However this also leads to a security problem, because I can scan the
RFCOMM ports of a remote device without forcing the security mechanism.
I only have to do the PN exchange and then disconnect. What should a
remote device do when a PN CMD comes in for a channel without a service
behind it?

> > You must convince me that this is really needed and a good idea. For
> > what kind of application do you wanna use it?
> 
> It's for the same reason as stated above: you don't want the connection
> to succeed unless the security requirements can be met. If you have a
> client in security mode 2 and a server in security mode 1, you want the
> server to see an incoming connection _only_ if authentication/encryption
> have been successfully performed. You _don't_ want the server to see an
> incoming connection which is immediately closed.

Sorry, I don't get the point. Why should a client care about security
mode 2, when it want to connect to a server in security mode 1. Actually
the server must know what services to protect and not the client. If you
have such server running, then this is a wrong designed server from my
point of view.

Regards

Marcel




-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

RE: [Bluez-devel] Service level security for RFCOMM

[Stephen Crane]

Hi Marcel,

On Fri, 2004-10-29 at 17:40, Marcel Holtmann wrote:
> However this also leads to a security problem, because I can scan the
> RFCOMM ports of a remote device without forcing the security mechanism.
> I only have to do the PN exchange and then disconnect. What should a
> remote device do when a PN CMD comes in for a channel without a service
> behind it?

If the spec says that authentication can only happen on receipt of SABM,
then I guess this leaves it open to port scans. 

However, does this really matter? If you want to protect _all_ services,
use security mode 3. If you're in security mode 2, it's most likely that
you can do SDP searches without performing a security procedure and
discover open channels that way.

> Sorry, I don't get the point. Why should a client care about security
> mode 2, when it want to connect to a server in security mode 1. Actually
> the server must know what services to protect and not the client. If you
> have such server running, then this is a wrong designed server from my
> point of view.

Well, for example, a client may wish to authenticate a server before
connecting to it, irrespective of the security the service wants for
itself.

> Regards
> 
> Marcel

Steve
-- 
Stephen Crane, Rococo Software Ltd. http://www.rococosoft.com
steve.crane@rococosoft.com +353-1-6601315 (ext 209)

RE: [Bluez-devel] Service level security for RFCOMM

[Marcel Holtmann]

Hi Steve,

> > However this also leads to a security problem, because I can scan the
> > RFCOMM ports of a remote device without forcing the security mechanism.
> > I only have to do the PN exchange and then disconnect. What should a
> > remote device do when a PN CMD comes in for a channel without a service
> > behind it?
> 
> If the spec says that authentication can only happen on receipt of SABM,
> then I guess this leaves it open to port scans. 
> 
> However, does this really matter? If you want to protect _all_ services,
> use security mode 3. If you're in security mode 2, it's most likely that
> you can do SDP searches without performing a security procedure and
> discover open channels that way.

yes, it matters, because security mode 3 is never the answer to any
security related problems. You still need a very good policy engine
behind the security manager to protect your device. I would advice
anybody not to use security mode 3, even if the device supports only a
single service. A single trust model is not working.

> > Sorry, I don't get the point. Why should a client care about security
> > mode 2, when it want to connect to a server in security mode 1. Actually
> > the server must know what services to protect and not the client. If you
> > have such server running, then this is a wrong designed server from my
> > point of view.
> 
> Well, for example, a client may wish to authenticate a server before
> connecting to it, irrespective of the security the service wants for
> itself.

I still don't see the full need behind this, but send in a clean patch
for it and I will apply it. There should be no problem to support it.

Regards

Marcel




-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

[Bluez-devel] Service level security for RFCOMM

[Marcel Holtmann]

Hi Folks,

actually it seems that nobody really cares about service level security
on the RFCOMM layer. Or people are too lazy to send in a patch. However,
I spent some hours with thinking about it and the core stuff of a small
framework for providing authentication and encrypt feedback from HCI to
higher level protocols is finished.

The problem now is to change the RFCOMM state machine to deal with it
and reject connections in the failure case. After looking at the state
machine of RFCOMM, I realized that there are two posibilities when to
trigger the authentication. One is after we receive the PN CMD and the
other after the SABM for the specific channel. The specification says
nothing about that. What are the pros and cons?

And btw, who is really interested in this feature or needs it?

Regards

Marcel




-------------------------------------------------------
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

Re: [Bluez-devel] Service level security for RFCOMM

[James Cameron]

I'm afraid I don't understand the issues enough to know if I need the
feature.

-- 
James Cameron                         http://quozl.netrek.org/
HP Open Source, Volunteer             http://opensource.hp.com/
PPTP Client Project, Release Engineer http://pptpclient.sourceforge.net/


-------------------------------------------------------
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

Re: [Bluez-devel] Service level security for RFCOMM

[Marcel Holtmann]

Hi James,

> I'm afraid I don't understand the issues enough to know if I need the
> feature.

at the moment you can trigger authentication and encryption for server
sockets on a per PSM basis for the L2CAP. If you use RFCOMM you can't
trigger this and especially not per RFCOMM channel.

Regards

Marcel




-------------------------------------------------------
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

Re: [Bluez-devel] Service level security for RFCOMM

[Stephen Crane]

On Fri, 2004-10-29 at 05:42, Marcel Holtmann wrote:

> actually it seems that nobody really cares about service level security
> on the RFCOMM layer. Or people are too lazy to send in a patch. However,
> I spent some hours with thinking about it and the core stuff of a small
> framework for providing authentication and encrypt feedback from HCI to
> higher level protocols is finished.

Perhaps this is because no-one except you and Max understands the RFComm
state-machine? :-)

> The problem now is to change the RFCOMM state machine to deal with it
> and reject connections in the failure case. After looking at the state
> machine of RFCOMM, I realized that there are two posibilities when to
> trigger the authentication. One is after we receive the PN CMD and the
> other after the SABM for the specific channel. The specification says
> nothing about that. What are the pros and cons?
> 
> And btw, who is really interested in this feature or needs it?

This is useful (and probably required, I can't remember) for JSR-82.
Especially for people who want to encrypted/authenticated OBEX
connections.

Are you going to do the client-side too?

Steve
-- 
Stephen Crane, Rococo Software Ltd. http://www.rococosoft.com
steve.crane@rococosoft.com +353-1-6601315 (ext 209)

Re: [Bluez-devel] Service level security for RFCOMM

[Fred Schaettgen]

On Friday 29 October 2004 11:31, Stephen Crane wrote:
> On Fri, 2004-10-29 at 05:42, Marcel Holtmann wrote:
> > actually it seems that nobody really cares about service level security
> > on the RFCOMM layer. Or people are too lazy to send in a patch. However,
> > I spent some hours with thinking about it and the core stuff of a small
> > framework for providing authentication and encrypt feedback from HCI to
> > higher level protocols is finished.
..
> > And btw, who is really interested in this feature or needs it?

Over here! I'm interested.
I would like to integrate service level security into the meta server of 
kdebluetooth. At the moment you can allow/disallow connections (or show a 
confirmation popup) based on the service/rfcomm channel and on the peer 
device address, but we can't ask for an authenticated link. Being able to use 
service level security would allow us to force authenticated links when using 
any service other than obex push, which should work without having to pair 
devices first.
IIRC I asked you to allow every user to send authentication requests a few 
months ago, so that even programs running without root privileges can trigger 
authentication. But then I didn't post it on the list as you told me, to let 
other people comment on the security implications. The corresonding patch 
changed only a single bit somewhere, but of course this solution is not very 
conveniant. But if you want authentication to appear as a property of a 
single rfcomm connection that's fine too, as long as a regular users are 
allowed to use this feature. Would that be safe?

regards
Fred

-- 
Fred Schaettgen
bluez-devel@schaettgen.de


-------------------------------------------------------
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

Re: [Bluez-devel] Service level security for RFCOMM

[Marcel Holtmann]

Hi Fred,

> > > And btw, who is really interested in this feature or needs it?
> 
> Over here! I'm interested.

ok, so lets count. The KDE Bluetooth framework will be the first user :)

> I would like to integrate service level security into the meta server of 
> kdebluetooth. At the moment you can allow/disallow connections (or show a 
> confirmation popup) based on the service/rfcomm channel and on the peer 
> device address, but we can't ask for an authenticated link. Being able to use 
> service level security would allow us to force authenticated links when using 
> any service other than obex push, which should work without having to pair 
> devices first.
> IIRC I asked you to allow every user to send authentication requests a few 
> months ago, so that even programs running without root privileges can trigger 
> authentication. But then I didn't post it on the list as you told me, to let 
> other people comment on the security implications. The corresonding patch 
> changed only a single bit somewhere, but of course this solution is not very 
> conveniant. But if you want authentication to appear as a property of a 
> single rfcomm connection that's fine too, as long as a regular users are 
> allowed to use this feature. Would that be safe?

You should always remember that the authentication is per device and not
per service. You can trigger it on a per service basis, but it is still
common for the complete device.

Regards

Marcel




-------------------------------------------------------
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

Re: [Bluez-devel] Service level security for RFCOMM

[Marcel Holtmann]

Hi Steve,

> > actually it seems that nobody really cares about service level security
> > on the RFCOMM layer. Or people are too lazy to send in a patch. However,
> > I spent some hours with thinking about it and the core stuff of a small
> > framework for providing authentication and encrypt feedback from HCI to
> > higher level protocols is finished.
> 
> Perhaps this is because no-one except you and Max understands the RFComm
> state-machine? :-)

this maybe right, but it is a problem of the RFCOMM protocol itself and
the differences between the 1.0b and 1.1 specification :(

> > The problem now is to change the RFCOMM state machine to deal with it
> > and reject connections in the failure case. After looking at the state
> > machine of RFCOMM, I realized that there are two posibilities when to
> > trigger the authentication. One is after we receive the PN CMD and the
> > other after the SABM for the specific channel. The specification says
> > nothing about that. What are the pros and cons?
> > 
> > And btw, who is really interested in this feature or needs it?
> 
> This is useful (and probably required, I can't remember) for JSR-82.
> Especially for people who want to encrypted/authenticated OBEX
> connections.

And what to do next? When should the authentication be triggered? What
should happen if the encryption on a link gets deactivated afterwards?

> Are you going to do the client-side too?

I have no plan for this, because I don't see the need. What is bad in
using security mode 1 for outgoing and security mode 2 for incoming?

Regards

Marcel




-------------------------------------------------------
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel