On 01/02/2011 10:35 p.m., Joe Touch wrote: >> Over the long term, deploying IPv6 is the only way to ease pressure >> on the public IPv4 address pool and thereby mitigate the need for >> address sharing mechanisms that give rise to the issues identified >> herein. > > ?? This sentence is misleading. Clearly address sharing eases pressure > too, but has caveats. It should be revised to be more clear about the > options available. +1 > ... >> 7. Geo-location and Geo-proximity > > ?INT? This section is, IMO, odd; IP address never meant physical > location anyway, and tunnels obviate that meaning regardless of the > impact of NATs or other sharing techniques. Agreed. But geo-location is nevertheless widely ued for marketing purposes. >> 13.4. Port Randomisation > ... >> It should be noted that guessing the port information may not be >> sufficient to carry out a successful blind attack. The exact TCP >> Sequence Number (SN) should also be known. > > There are data injection attacks that are possible even without knowing > the exact SN. draft-ietf-tcpm-tcp-security may be of use here. > Further, port randomization is just one way to protect a connection > (another includes timestamp verification, as noted in RFC4953). RFC4953 is a little bit vague in this respect. It talks about an "accepted window". However, as far as the current specs are concerned, the "accepted window" is half the timestamps space: i.e., you need to forge, at most, two different timestamps value. It also mentions that timestamps may be easily predictable. However, this does not need to be the case (see e.g., draft-gont-timestamps-generation) Thanks! Best regards, -- Fernando Gont e-mail: fernando@xxxxxxxxxxx || fgont@xxxxxxx PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf