ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Fwd: Security Assessment of the Transmission Control Protocol (TCP)

2009-02-14 10:27:53
from [TSG] [Permanent Link] 
Joel Jaeggli wrote:

Keith Moore wrote:

Marshall Eubanks wrote:

If I am reading this correctly the UK Centre for the Protection of
National Infrastructure
wants the IETF (or some other body) to produce a "companion document to
the IETF specifications that discusses the security aspects and
implications of the protocols, identifies the existing vulnerabilities,
discusses the possible countermeasures, and analyses their respective
effectiveness."

It's difficult to imagine that these things could be adequately captured
in a static document, for TCP or any other protocol, because new threats
and countermeasures continue to be identified decades after the base
protocol is well-settled.  Maybe something like an expanded version of
the RFC Editor's errata pages would be more appropriate?


One might imagine an informational document which was routinely
obsoleted by future iterations.
Unfortunately this isnt new information - the liabilities of IP have been well identified and understood for years like the BGP4 flap as well.
What the IETF still seems to fail to grasp is that it is responsible for its actions so its not taking security and the ability to produce reliable evidence of anything over a network transport are key factors and need to be built into any IETF endorsement that is issued in the form of a standard or standards-track effort.
I also would suggest that the IETF be willing to support other protocols besides IP based - hell XNS was way more secure than IP is by its very design.
Its not that TCP/IP is bad - its just that it wasnt designed as an evidentiary-grade data transport and that is nowadays a real issue. 


Keeping it tractable is a product of
necessarily limiting the scope.
I dont think so. Building an analysis scope which is defined to meet the evidence needs today would address this requirement and only need to be updated periodically to meet those changing evidence models. 
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf




_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Fwd: Security Assessment of the Transmission Control Protocol (TCP), Jari Arkko
Next by Date:  IPR advice to avoid ignorant flame wars about patents, Lawrence Rosen
Previous by Thread:  Re: Fwd: Security Assessment of the Transmission Control Protocol (TCP), Jari Arkko
Next by Thread:  Security Assessment of the Transmission Control Protocol (TCP), Fernando Gont
Indexes:  [Date] [Thread] [Top] [All Lists]