On 02/02/2011 02:38 p.m., Joe Touch wrote: >>> ?INT? This section is, IMO, odd; IP address never meant physical >>> location anyway, and tunnels obviate that meaning regardless of the >>> impact of NATs or other sharing techniques. >> >> Agreed. But geo-location is nevertheless widely used for marketing >> purposes. > > Agreed, but whether it works now is arbitrary; it's not a design > consideration of the protocols. Well, the protocols were not designed for production networks, either. FWIW, geo-location is currently used, and it would be affected by increased used of NATs. > At the least, it's worth noting that geolocation is already broken by > tunnels, and that IP addressing does not ensure geographic proximity > before attributing breakage on NATs or other sharing. Tunnels need not break geo-location. -- They do not masquerade the source address. Or am I missing something? And, FWIW, I agree that usually lots of breakage is attributed to NATs, where the brokeness is really somewhere else (e.g., app protocols passing IP addresses). >>>> 13.4. Port Randomisation >>> ... >>>> It should be noted that guessing the port information may not be >>>> sufficient to carry out a successful blind attack. The exact TCP >>>> Sequence Number (SN) should also be known. >>> >>> There are data injection attacks that are possible even without knowing >>> the exact SN. >> >> draft-ietf-tcpm-tcp-security may be of use here. > > rfc5961 is already published and describes the issue in specific, and > may be more useful as a reference for this. I disagree. It discusses only TCP-based attacks (there are many other vectors). If you want an alternative "published" reference, here it is: http://www.cpni.gov.uk/Docs/tn-03-09-security-assessment-TCP.pdf However, it's up to the authors to include this or other references -- I just noted the tcp assessment doc for completeness sake. Thanks, -- Fernando Gont e-mail: fernando@xxxxxxxxxxx || fgont@xxxxxxx PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf