Smith, Donald wrote: >>>> Please talk to vendors. I don't want to reproduce here >> what seems to >>>> be the consensus among vendors with respect to the current >>>> state of affairs in terms of how up-to-date our specs are. > I talk to vendors a lot. I don't think there is a consensus on the > "how up-to-date our specs are". The consensus seems to be that the current state of affairs is something like: "a mess". Even if you do care to produce a resilient implementation, that task is going to be much harder than necessary. You don't know the amount of cycles we spent in producing draft-gont-tcp-security.... let alone the time it would take to move the advice in an actual implementation. > I can't even get a straight answer on how they addressed the > icmp-blind resets or the tcp-blind resets from several years ago. > There were several possible mitigations with some trade offs on each > of them. Yet finding out how your favorite vendor addressed those is > likely to be difficult. In many cases the lack of a straight answer may have to do with us being unable to get to consensus and get something published in a timely fashion. e.g., the last round on ICMP attacks against TCP was circa 2004. At that point an I-D was published on the subject (now draft-ietf-tcpm-icmp-attacks). Yet we're still nitpicking on it, when everybody did something about it five years ago. It becomes harder to get s staright answer when it's impossible for a vendor to point to a counter-measure that is supposed to be the result of a thorough review process, in a *timely* fashion. I'm aware there's an effort in the vendor community to improve the resiliency of TCP basedon the document published by UK CPNI. Yet we're still debating whether to ignore it or not.... maybe so that we can publish an RFC in the future tagging those implementations as non-compliant... or maybe to allow tcp vulnerabilities to be "rediscovered" every few years. Thanks! Kind regards, -- Fernando Gont e-mail: fernando@xxxxxxxxxxx || fgont@xxxxxxx PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf