ietf
[Top] [All Lists]

Re: [tcpm] draft-gont-tcp-security

2009-04-13 14:32:04
Joe Touch wrote:

I'm not at all clear that the WG needs this document. 

Yes, we still have the option to ignore that vendors have had to figure
out by themselves how to produce a resilient implementation of TCP,
because the current IETF advice regarding this issues is close to null.

So we had tcp-secure in 2004, icmp-attacks in 2005, a claim for a
trivial attack in 2008 (Outpost24/CERT-FI), and we'll probably continue
in this line, because we do nothing about it.


It summarizes issues already raised by the WG, 

I believe this statement is unfair with respect to our document. e.g.,
has the issues described in Section 4.3, Section 9.2, or Section 10 been
brought to tcpm before???



and makes recommendations (IMO) in
excess of what the WG has agreed upon for general use.

TCP itself is not a secure protocol, nor is it intended to be.

Yeah. But that does not mean that we should not do our best to improve
it. Please talk to vendors. I don't want to reproduce here what seems to
be the consensus among vendors with respect to the current state of
affairs in terms of how up-to-date our specs are.

Please let me know which implementations do not aim at doing this. If
you know of any, please produce a fingerprint for nmap, and post an
announcement to bugtraq/full-disclosure. The ecosystem will probably do
the rest to get them updated.



IMO, if there are operational issues with deploying TCP in environments
under attack, that is an OPSEC issue.

Yeah... problems with deploying it in the current Internet....

If tcpm agreed that opsec will be a better venue for this document, I'll
be glad to pursue this effort there. At this point, tcpm and opsec are
two possible options, with no preference for any of the two.

Kind regards,
-- 
Fernando Gont
e-mail: fernando(_at_)gont(_dot_)com(_dot_)ar || fgont(_at_)acm(_dot_)org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1




_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf