Joe Touch wrote: > I'm not at all clear that the WG needs this document. Yes, we still have the option to ignore that vendors have had to figure out by themselves how to produce a resilient implementation of TCP, because the current IETF advice regarding this issues is close to null. So we had tcp-secure in 2004, icmp-attacks in 2005, a claim for a trivial attack in 2008 (Outpost24/CERT-FI), and we'll probably continue in this line, because we do nothing about it. > It summarizes issues already raised by the WG, I believe this statement is unfair with respect to our document. e.g., has the issues described in Section 4.3, Section 9.2, or Section 10 been brought to tcpm before??? > and makes recommendations (IMO) in > excess of what the WG has agreed upon for general use. > > TCP itself is not a secure protocol, nor is it intended to be. Yeah. But that does not mean that we should not do our best to improve it. Please talk to vendors. I don't want to reproduce here what seems to be the consensus among vendors with respect to the current state of affairs in terms of how up-to-date our specs are. Please let me know which implementations do not aim at doing this. If you know of any, please produce a fingerprint for nmap, and post an announcement to bugtraq/full-disclosure. The ecosystem will probably do the rest to get them updated. > IMO, if there are operational issues with deploying TCP in environments > under attack, that is an OPSEC issue. Yeah... problems with deploying it in the current Internet.... If tcpm agreed that opsec will be a better venue for this document, I'll be glad to pursue this effort there. At this point, tcpm and opsec are two possible options, with no preference for any of the two. Kind regards, -- Fernando Gont e-mail: fernando@xxxxxxxxxxx || fgont@xxxxxxx PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf