Hi Robert,
If you (and others) think that "visual attack" is a better phrasing, I'd be happy to change "visual spoofing" to "visual attacks" in the security section.
Kind regards,
Job
On Mon, 8 May 2017 at 22:39, Robert Raszuk <robert@xxxxxxxxxx> wrote:
Then this is not "visual spoofing" ... you are just protecting from forms of "visual attacks"Best,R.On Mon, May 8, 2017 at 10:36 PM, Job Snijders <job@xxxxxxx> wrote:Hi Robert,The reference is to a different type of visual spoofing. The idea was to limit the string length to prevent spoofing of additional syslog messages or other fake cli output.We already covered the extensibility aspect in the working group.Kind regards,JobOn Mon, 8 May 2017 at 22:28, Robert Raszuk <robert@xxxxxxxxxx> wrote:Hi Job,Assuming that by "visual spoofing" you really mean this: http://websec.github.io/unicode-security-guide/visual-spoofing/ how does limiting the length of the field helps to minimize it ?It is UTF which is a problem here regardless of the length.Ok so we leave 129-255 for further use .. brilliant. Assume someone comes tomorrow and has a great use case for sending one byte of information in the cease. So he defines length 129 right ? And even if operator did not type anything for the "shutdown case" ... first 128 bytes goes empty, then goes one newly defined octet. Is this really how protocol encoding should be done in 2017 ? Is concept of TLV so complex ?Cheers,R.On Mon, May 8, 2017 at 9:46 PM, Job Snijders <job@xxxxxxx> wrote:On Mon, 8 May 2017 at 21:36, Enke Chen <enkechen@xxxxxxxxx> wrote:I understand this is not a good use of time. But since it is in the
spec, I would like to understand the reasons. If there are good reasons
for doing things differently, then they should be documented in the spec
so that people do not question again.In the security section: "This specification minimizes the effects of visual spoofing by limiting the length of the Shutdown Communication."On 5/8/17 12:13 PM, Jakob Heitz (jheitz) wrote:
> It is deliberately kept short to minimize the potential for abuse.
128 is ok, and 129- 255 would be considered abuse?Those are an error according to the draft.Kind regards,Job_______________________________________________
Idr mailing list
Idr@xxxxxxxx
https://www.ietf.org/mailman/listinfo/idr