On 01/02/2011 10:35 p.m., Joe Touch wrote:
Over the long term, deploying IPv6 is the only way to ease pressure
on the public IPv4 address pool and thereby mitigate the need for
address sharing mechanisms that give rise to the issues identified
herein.
?? This sentence is misleading. Clearly address sharing eases pressure
too, but has caveats. It should be revised to be more clear about the
options available.
+1
...
7. Geo-location and Geo-proximity
?INT? This section is, IMO, odd; IP address never meant physical
location anyway, and tunnels obviate that meaning regardless of the
impact of NATs or other sharing techniques.
Agreed. But geo-location is nevertheless widely ued for marketing purposes.
13.4. Port Randomisation
...
It should be noted that guessing the port information may not be
sufficient to carry out a successful blind attack. The exact TCP
Sequence Number (SN) should also be known.
There are data injection attacks that are possible even without knowing
the exact SN.
draft-ietf-tcpm-tcp-security may be of use here.
Further, port randomization is just one way to protect a connection
(another includes timestamp verification, as noted in RFC4953).
RFC4953 is a little bit vague in this respect. It talks about an
"accepted window". However, as far as the current specs are concerned,
the "accepted window" is half the timestamps space: i.e., you need to
forge, at most, two different timestamps value. It also mentions that
timestamps may be easily predictable. However, this does not need to be
the case (see e.g., draft-gont-timestamps-generation)
Thanks!
Best regards,
--
Fernando Gont
e-mail: fernando(_at_)gont(_dot_)com(_dot_)ar || fgont(_at_)acm(_dot_)org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf