Re: [Last-Call] Last Call: <draft-gont-numeric-ids-sec-considerations-06.txt> (Security Considerations for Transient Numeric Identifiers Employed in Network Protocols) to Best Current Practice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Christian,

On 17/12/20 02:19, Christian Huitema wrote:
[....]
When you mentioned "sequence numbers", I thought that you were referring to packet sequence numbers.
Connection ID sequence numbers are something else entirely. The sequence numbers are used to manage the creation and release of the Connection ID objects. For a variety of protocol reasons, the connection ID sequence numbers must start at zero. 

I expect that "variety of reasons" to be in the protocol specification.
This is actually a great example of the kind of discussions that would arise if this draft was published. You lob these "connection ID sequence numbers" is the arbitrary category of "temporary identifiers", and start making generic statements about the need to apply some kind of randomization. 

Once more, you're misrepresenting what our document is saying.

Let's go through them once more:

*  1.  Clearly specify the interoperability requirements for the
       aforementioned identifiers (e.g., required properties such as
       uniqueness, along with the failure severity if such properties
       are not met).
This is largely unspecified for many of the QUIC numeric IDs. you claim "For a variety of protocol reasons, the connection ID sequence numbers must start at zero.". If that's needed, this requirement should be an explicit interoperability requirement, and the reasoning should be provided. 


*  2.  Provide a security and privacy analysis of the aforementioned
       identifiers.
This part is also missing. It might be the case that there are no implications. 


*  3.  Recommend an algorithm for generating the aforementioned
       identifiers that mitigates security and privacy issues, such as
       those discussed in [I-D.irtf-pearg-numeric-ids-generation].
If, while doing step #2, you find any issues, then you should recommend how to generate the IDs to mitigate the identified issues. Otherwise, you can use whatever algorithm you please, as long as it's clear why there are no implications. 

Thanks,
--
Fernando Gont
SI6 Networks
e-mail: fgont@xxxxxxxxxxxxxxx
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492




--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux