Hi Russ, Thanks for the comments. On Wed, Dec 09, 2020 at 04:09:07PM -0500, Russ Housley wrote: > I have to comments. > > 1) I do not see this document as a BCP. Despite the inclusion of the boilerplate, there is not a single MUST in the document. I have no objection to an Informational RFC. The assumption/expectation was that this would become part of BCP 72 along with RFC 3552. Do you think it should be a standalone document, or can you propose normative language that would make it more appropriate as a BCP? > 2) The document is really about transient identifiers. It does not only apply to ones that are numeric. That's probably true. Numeric identifiers have some additional properties/structure that have specific considerations, but the core concerns do apply to non-numeric identifiers as well. (Proposed text would be wonderful, of course.) Thanks again, Ben > > > On Dec 7, 2020, at 10:08 AM, The IESG <iesg-secretary@xxxxxxxx> wrote: > > > > > > The IESG has received a request from an individual submitter to consider the > > following document: - 'Security Considerations for Transient Numeric > > Identifiers Employed in > > Network Protocols' > > <draft-gont-numeric-ids-sec-considerations-06.txt> as Best Current Practice > > > > The IESG plans to make a decision in the next few weeks, and solicits final > > comments on this action. Please send substantive comments to the > > last-call@xxxxxxxx mailing lists by 2021-01-04. Exceptionally, comments may > > be sent to iesg@xxxxxxxx instead. In either case, please retain the beginning > > of the Subject line to allow automated sorting. > > > > Abstract > > > > > > Poor selection of transient numerical identifiers in protocols such > > as the TCP/IP suite has historically led to a number of attacks on > > implementations, ranging from Denial of Service (DoS) to data > > injection and information leakage that can be exploited by pervasive > > monitoring. To prevent such flaws in future protocols and > > implementations, this document updates RFC 3552, requiring future > > RFCs to contain analysis of the security and privacy properties of > > any transient numeric identifiers specified by the protocol. > > -- > last-call mailing list > last-call@xxxxxxxx > https://www.ietf.org/mailman/listinfo/last-call -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
