On Wed, 1 Oct 2008 22:12:17 -0400 "Steven M. Bellovin" <smb@xxxxxxxxxxxxxxx> wrote: > > Steven> Note 7.3.1 on > > Steven> TCP considerations. (Also note that 7.3.1 disagrees > > Steven> with 793 on the treatment of security labels in section > > Steven> 3.6 of 793. At the least, this shoudl be noted. > > > > I had completely missed this. I'll call out the section to the > > transport ADs > > > I should have added: I think the new document is in fact more correct > than 793 -- the 793 scheme would permit various forms of > high-bandwidth covert channels to be set up. This is an issue that > was not nearly that well understood when 793 was written. That said, > it is a change to TCP, and needs to be treated as such. > Thinking further -- I suspect that the right thing to do here is for someone to write a short, simple draft amending 793 -- it's handling of the security option is simply wrong, independent of this draft. I wonder -- what TCPs actually implement even 793? NetBSD doesn't; I strongly suspect that no BSDs do. Does Solaris? Linux? --Steve Bellovin, http://www.cs.columbia.edu/~smb _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf