> On Dec 9, 2020, at 4:14 PM, Benjamin Kaduk <kaduk@xxxxxxx> wrote: > > Hi Russ, > > Thanks for the comments. > > On Wed, Dec 09, 2020 at 04:09:07PM -0500, Russ Housley wrote: >> I have to comments. >> >> 1) I do not see this document as a BCP. Despite the inclusion of the boilerplate, there is not a single MUST in the document. I have no objection to an Informational RFC. > > The assumption/expectation was that this would become part of BCP 72 along > with RFC 3552. Do you think it should be a standalone document, or can you > propose normative language that would make it more appropriate as a BCP? I'd advise an Informational document. I think an additional section with normative text would be needed or additional normative paragraphs after each of the problem descriptions would be needed. > >> 2) The document is really about transient identifiers. It does not only apply to ones that are numeric. > > That's probably true. Numeric identifiers have some additional > properties/structure that have specific considerations, but the core > concerns do apply to non-numeric identifiers as well. (Proposed text would > be wonderful, of course.) I looked at several sentences, and I think that just dropping "numeric" is a fine solution. Russ > > Thanks again, > > Ben > >> >>> On Dec 7, 2020, at 10:08 AM, The IESG <iesg-secretary@xxxxxxxx> wrote: >>> >>> >>> The IESG has received a request from an individual submitter to consider the >>> following document: - 'Security Considerations for Transient Numeric >>> Identifiers Employed in >>> Network Protocols' >>> <draft-gont-numeric-ids-sec-considerations-06.txt> as Best Current Practice >>> >>> The IESG plans to make a decision in the next few weeks, and solicits final >>> comments on this action. Please send substantive comments to the >>> last-call@xxxxxxxx mailing lists by 2021-01-04. Exceptionally, comments may >>> be sent to iesg@xxxxxxxx instead. In either case, please retain the beginning >>> of the Subject line to allow automated sorting. >>> >>> Abstract >>> >>> >>> Poor selection of transient numerical identifiers in protocols such >>> as the TCP/IP suite has historically led to a number of attacks on >>> implementations, ranging from Denial of Service (DoS) to data >>> injection and information leakage that can be exploited by pervasive >>> monitoring. To prevent such flaws in future protocols and >>> implementations, this document updates RFC 3552, requiring future >>> RFCs to contain analysis of the security and privacy properties of >>> any transient numeric identifiers specified by the protocol. >> >> -- >> last-call mailing list >> last-call@xxxxxxxx >> https://www.ietf.org/mailman/listinfo/last-call -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
