-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Inline... > Given that this is opsec and that my major concern is the network elements > I am much more concerned about "off-path" or "blind attacks" then direct attacks. > Customers generally don't attack the router they are connected to. > Peers generally don't attack the router they are connected to. Some routers are on shared-access media. Other routers are connected across unsecured network elements - e.g., to network management components, etc. On-path doesn't mean directly connected on one hop - it includes the entire path. ... >> > I *know* that the only way to secure a protocol is to throw >> > crypto at it. > > Now I think I understand what you mean by secure. > I don't agree with your opinion. For example SSL is a form of encryption > but has done little to > secure http as sites have trained customers to ignore cert errors. > Banks put lock bitmaps on their pages to show how "safe" they are. > Phishers depend on this user confusion! Mechanism cannot compensate for users that ignore it. >> > I also *know* that unexpected packets are *not* indications >> > of attacks. > > In the router world packets destined towards my routers that are > "unexpected" are often an indication of attack or a misconfigured > system either can cause problems for the network and blocking it > TOWARDS the router is a BCP. I'm talking about expectations within a TCP connection, or about the establishment of TCP connections. This doc addresses TCP, not the Internet in general. Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknkrAEACgkQE5f5cImnZrvCuwCgmNXYuIsIz0D3sKZPGPS4s9I/ a4UAn1Y61FP4a45kZdAtGelzTp4ah51O =Z6sO -----END PGP SIGNATURE----- _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf