The IESG has approved the following document: - 'Security Attacks Found Against SCTP and Current Countermeasures ' <draft-ietf-tsvwg-sctpthreat-05.txt> as an Informational RFC This document is the product of the Transport Area Working Group. The IESG contact persons are Lars Eggert and Magnus Westerlund. A URL of this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-sctpthreat-05.txt Technical Summary The Stream Control Transmission Protocol defined in RFC 2960 is a multi-homed transport protocol. As such, unique security threats exists that are addressed in various ways within the protocol itself. This document attempts to detail the known security threats and their countermeasures as detailed in the current version of the SCTP Implementers guide RFC 4460. Working Group Summary There is strong consensus in the WG to publish this document. It has been reviewed by several people in the WG last call. Comments raised has been addressed. Protocol Quality This is not a protocol document, therefore there are no implementations of what this document offers. Personnel James Polk (jmpolk@cisco.com) is the document Shepherd. Lars Eggert (lars.eggert@nokia.com) is the responsible Area Director. Note to RFC Editor Note: This document assumes that draft-ietf-tsvwg-2960bis will be assigned the RFC number 4960 that has been reserved for it. If that for some reason won't happen, parts of the text need to be adjusted. Section 1., paragraph 1: OLD: using techniques from the SCTP Specification Errata and Issues memo ([RFC4460]). These techniques are included in ^^^^^^^^^^^ NEW: using techniques from the SCTP Specification Errata and Issues memo [RFC4460]. These techniques are included in ^^^^^^^^^ Section 1., paragraph 2: OLD: This work and some of the changes that went into the [RFC4460] and ^^^ [I-D.ietf-tsvwg-2960bis] are much indebted to the paper on potential SCTP security risks Effects [effects] by Aura, Nikander and ^^^^^^^^^^^^^^^^^ NEW: This work and some of the changes that went into [RFC4460] and ^ [I-D.ietf-tsvwg-2960bis] are much indebted to the paper on potential SCTP security risks [EFFECTS] by Aura, Nikander and ^^^^^^^^^ Section 1., paragraph 3: OLD: that were illustrated in Effects [effects] and detail what ^^^^^^^^^^^^^^^^^ NEW: that were illustrated in [EFFECTS] and detail what ^^^^^^^^^ Section 2.2., paragraph 1: OLD: were made in the BSD implementation that are now present in the ^^^ [I-D.ietf-tsvwg-2960bis]. In close examination, this attack depends NEW: were made in the BSD implementation that are now present in ^ [I-D.ietf-tsvwg-2960bis]. In close examination, this attack depends Section 3., paragraph 1: OLD: However with the addition of the [I-D.ietf-tsvwg-addip-sctp] extension to SCTP an endpoint that is NOT a man-in-the-middle may be able to assume another endpoints association. NEW: However, with the addition of the SCTP extension specified in [I-D.ietf-tsvwg-addip-sctp], an endpoint that is NOT a man-in-the-middle may be able to assume another endpoints association. Section 3.2., paragraph 2: OLD: 1) Both endpoints must support the [I-D.ietf-tsvwg-addip-sctp] extension. NEW: 1) Both endpoints must support the SCTP extension specified in [I-D.ietf-tsvwg-addip-sctp]. Section 3.2., paragraph 3: OLD: 2) One of the endpoints must be using the [I-D.ietf-tsvwg-addip-sctp] extension for mobility. NEW: 2) One of the endpoints must be using the SCTP extension for mobility specified in [I-D.ietf-tsvwg-addip-sctp]. Section 3.3., paragraph 1: OLD: this attack. Furthermore the use of the [I-D.ietf-tsvwg-addip-sctp] extensions requires the use of the authentication mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. NEW: this attack. Furthermore, use of the SCTP extension specified in [I-D.ietf-tsvwg-addip-sctp] requires the use of the authentication mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. Section 13.2., paragraph 1: OLD: [effects] Aura, T., Nikander, P., and G. Camarillo, "Effects of ^^^^^^^^^ NEW: [EFFECTS] Aura, T., Nikander, P., and G. Camarillo, "Effects of ^^^^^^^^^ _______________________________________________ IETF-Announce@ietf.org https://www1.ietf.org/mailman/listinfo/ietf-announce
