[Last-Call] Secdir last call review of draft-ietf-tcpm-rfc8312bis-14

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Reviewer: Yoav Nir
Review result: Has Nits

This document is a renewal of RFC 8312 in order to progress in the standards
track.  The document fixes some language and revises the authors, but
significantly describes the standard as something that has already been adopted
and implemented in multiple popular operating systems.

The security considerations section is very brief, and reads as follows:

CUBIC makes no changes to the underlying security of TCP. More information
about TCP security concerns can be found in [RFC5681].

This is a claim, which I believe to be true, but it also should be
substantiated. Specifically changing the window computation on the sender may
allow an attacker, through dropping or injecting ACKs (a practice described in
RFC 5681), to either force the CUBIC implementation to reduce its bandwidth, or
to convince it that there is no congestion when congestion does exist, and use
the CUBIC implementation as an attack vector against other hosts. Of course,
these attacks are only interesting if they give the attacker some significant
power not afforded by plain old TCP.

So why is this a nit? Because I believe this is the case, and all I'm missing
is a statement that it is so.


-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux