Re: [Last-Call] [Tsv-art] Tsvart last call review of draft-gont-numeric-ids-sec-considerations-09

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

FWIW, I disagree with the premise of the document as stated in the abstract:

   Poor selection of transient numerical identifiers in protocols such
   as the TCP/IP suite has historically led to a number of attacks on
   implementations

IMO, the expectation that a protocol without any security should be resistant to attacks is incorrect.

This document, and others like it, raise the effort of implementing protocols that are not expected to be secure and only serve to increase implemention complexity and operational overhead when they are properly secured - e.g., in the case of TCP identifiers, as when running inside IPsec tunnels.

We need to cease trying to imply that protocols should be resistant to attacks unless explicitly designed so. Simply picking these identifiers a different way is NOT security and we should stop trying to propagate any myth otherwise.

Joe

Dr. Joe Touch, temporal epistemologist
www.strayalpha.com

On Jan 9, 2023, at 12:55 PM, Michael Tüxen via Datatracker <noreply@xxxxxxxx> wrote:

Reviewer: Michael Tüxen
Review result: Ready with Nits

This document has been reviewed as part of the transport area review team's
ongoing effort to review key IETF documents. These comments were written
primarily for the transport area directors, but are copied to the document's
authors and WG to allow them to address any issues raised and also to the IETF
discussion list for information.

When done at the time of IETF Last Call, the authors should consider this
review as part of the last-call comments they receive. Please always CC
tsv-art@xxxxxxxx if you reply to or forward this review.

I have one point which is more than a nit, but not really an issue:

For some transport protocols transient numeric identifiers are covered
by encryption (like in the QUIC case), sometimes they are not (like in
the TCP case), sometimes it depends on the lower layer (like in the
SCTP/IP versus SCTP/DTLS/UDP case). The introduction discusses that
just encrypting the transient numeric identifiers does not solve all
issues.
Readers might focus on Section 5 and do not read the whole document.
Therefore, it would be good, if Section 5 would also mention, that
considerations for transient numeric identifiers have to be made even
in the case where the transient numeric identifiers are protected
by encryption.


_______________________________________________
Tsv-art mailing list
Tsv-art@xxxxxxxx
https://www.ietf.org/mailman/listinfo/tsv-art

-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux