On Wed, 1 Oct 2008 22:12:17 -0400
"Steven M. Bellovin" <smb(_at_)cs(_dot_)columbia(_dot_)edu> wrote:
Steven> Note 7.3.1 on
Steven> TCP considerations. (Also note that 7.3.1 disagrees
Steven> with 793 on the treatment of security labels in section
Steven> 3.6 of 793. At the least, this shoudl be noted.
I had completely missed this. I'll call out the section to the
transport ADs
I should have added: I think the new document is in fact more correct
than 793 -- the 793 scheme would permit various forms of
high-bandwidth covert channels to be set up. This is an issue that
was not nearly that well understood when 793 was written. That said,
it is a change to TCP, and needs to be treated as such.
Thinking further -- I suspect that the right thing to do here is for
someone to write a short, simple draft amending 793 -- it's handling of
the security option is simply wrong, independent of this draft. I
wonder -- what TCPs actually implement even 793? NetBSD doesn't; I
strongly suspect that no BSDs do. Does Solaris? Linux?
--Steve Bellovin, http://www.cs.columbia.edu/~smb
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf