ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [OPSEC] [tcpm] draft-gont-tcp-security

2009-04-13 17:05:02
from [Fernando Gont] [Permanent Link] 
Smith, Donald wrote:


Please talk to vendors. I don't want to reproduce here

what seems to

be the consensus among vendors with respect to the current
state of affairs in terms of how up-to-date our specs are.

I talk to vendors a lot. I don't think there is a consensus on the
"how up-to-date our specs are".


The consensus seems to be that the current state of affairs is something
like: "a mess". Even if you do care to produce a resilient
implementation, that task is going to be much harder than necessary. You
don't know the amount of cycles we spent in producing
draft-gont-tcp-security.... let alone the time it would take to move the
advice in an actual implementation.




I can't even get a straight answer on how they addressed the
icmp-blind resets or the tcp-blind resets from several years ago.
There were several possible mitigations with some trade offs on each
of them. Yet finding out how your favorite vendor addressed those is
likely to be difficult.


In many cases the lack of a straight answer may have to do with us being
unable to get to consensus and get something published in a timely
fashion. e.g., the last round on ICMP attacks against TCP was circa
2004. At that point an I-D was published on the subject (now
draft-ietf-tcpm-icmp-attacks). Yet we're still nitpicking on it, when
everybody did something about it five years ago.

It becomes harder to get s staright answer when it's impossible for a
vendor to point to a counter-measure that is supposed to be the result
of a thorough review process, in a *timely* fashion.

I'm aware there's an effort in the vendor community to improve the
resiliency of TCP basedon the document published by UK CPNI. Yet we're
still debating whether to ignore it or not.... maybe so that we can
publish an RFC in the future tagging those implementations as
non-compliant... or maybe to allow tcp vulnerabilities to be
"rediscovered" every few years.

Thanks!

Kind regards,
-- 
Fernando Gont
e-mail: fernando(_at_)gont(_dot_)com(_dot_)ar || fgont(_at_)acm(_dot_)org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1




_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RFC Editor Services Contracting Status, Ray Pelletier
Next by Date:  Re: [tcpm] draft-gont-tcp-security, Joe Touch
Previous by Thread:  RE: [OPSEC] [tcpm] draft-gont-tcp-security, Smith, Donald
Next by Thread:  Re: [OPSEC] [tcpm] draft-gont-tcp-security, Joe Touch
Indexes:  [Date] [Thread] [Top] [All Lists]