Re: Last Call: 'A Lightweight UDP Transfer Protocol for the the Internet Registry Information Service' to Proposed Standard (draft-ietf-crisp-iris-lwz)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>>>>> "Mark" == Mark Townsley <townsley@xxxxxxxxx> writes:

    Mark> Sam Hartman wrote:
    >> I notice that this transport provides no authentication of the
    >> data that is retrieved.
    >> 
    >> The security considerations needs to discuss the potential
    >> attacks if an attacker modifies this public data.  The security
    >> considerations section also needs to point to best practice for
    >> avoiding UDP reflection attacks.  It is not good enough to say
    >> "Do what other people do."

s/reflection/amplification sorry

    Mark> " 1.  If a request requires authentication, confidentiality,
    Mark> or other security, use another transfer protocol."

    Mark> It seems to me that the intent is to not provide
    Mark> authentication here. This seems more fundamental than a fix
    Mark> by reference.

Sure.  What I'm asking for is that they explain what the consequences
of providing no authentication are.  I'll then evaluate those
consequences and either conclude that authentication is not required
for this data for an Internet deployment or come back with another
comment that the security is inadequate.  But the first step of
determining whether the security is adequate is to determine the risk.

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]