Hi,
<all hats off>
On 2009-4-14, at 1:38, Joe Touch wrote:
Advice in making a hardened version of TCP would be useful to the
implementation community.
To a large extent this is what draft-gont-tcp-security is about.
Implementation advice is outside the scope of the IETF. It's not even
operational, IMO.
I do believe there is value in having a document that would inform a
stack vendor of various potential attack vectors against a TCP stack
and what techniques exist to harden their stacks.
I agree with Joe that some of the hardening techniques that vendors
are implementing come with consequences (make TCP more brittle). To
me, this is a *reason* this document should be published via the IETF
(i.e., TCPM) - we are probably in the best position to correctly
evaluate and classify the impact of various hardening techniques.
Stack vendors have been putting these mechanisms in to their stacks
without clear specifications and discussions of the potential upsides
and downsides that would let them make an educated decision. It seems
clear to me that the vendor community is looking for guidance here,
and I do believe the IETF should give it.
Yes, there is a fine line here, where some of the hardening techniques
introduce some new assumptions on what the segment flow of a valid
connection looks like, etc. It will be important to accurately
describe the downsides of some of these techniques, especially where
they could result in valid connections being dropped.
Lars
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf