Re: [conex] Stephen Farrell's No Objection on draft-ietf-conex-tcp-modifications-09: (with COMMENT)

Mirja Kühlewind <> Fri, 09 October 2015 09:44 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4E2761B3238; Fri, 9 Oct 2015 02:44:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.91
X-Spam-Status: No, score=-3.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BvIVJ5MXtVjE; Fri, 9 Oct 2015 02:44:38 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EF0FF1B3235; Fri, 9 Oct 2015 02:44:34 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id E580FD9305; Fri, 9 Oct 2015 11:44:32 +0200 (MEST)
X-Virus-Scanned: by amavisd-new on
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with LMTP id HYdZGKvAqKX6; Fri, 9 Oct 2015 11:44:32 +0200 (MEST)
Received: from [] ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mirjak) by (Postfix) with ESMTPSA id 9C8B8D9304; Fri, 9 Oct 2015 11:44:32 +0200 (MEST)
To: Stephen Farrell <>, The IESG <>
References: <>
From: =?UTF-8?Q?Mirja_K=c3=bchlewind?= <>
Message-ID: <>
Date: Fri, 9 Oct 2015 11:43:55 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [conex] Stephen Farrell's No Objection on draft-ietf-conex-tcp-modifications-09: (with COMMENT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Congestion Exposure working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 09 Oct 2015 09:44:40 -0000

Hi Stephan,

quick reply to you comment below. The two points below are discussed in 
draft-ietf-conex-destopt as ConEx is signaled in the IP layer and the attacks 
would (from my point of view) only interfere with the signaling (and not any 
additional algorithms that are used in TCP to decide when to set a marking).

draft-ietf-conex-destopt even has an own section on "Mitigating flooding 
attacks by using preferential drop". I guess that's what you've been looking 
for, right?

Further, draft-ietf-conex-destopt says in the security section that IPsec AH 
can be used to detect changes to ConEx information. Actually it does not say 
what to do if such changes are detected. I'll check with my co-authors if we 
can add some more information here.

Regarding draft-ietf-conex-tcp-modifications, I've added two sentences at the 
beginning of the security section to say that these issues are discussed in 
draft-ietf-conex-destopt. Is that okay for you?


On 01.10.2015 13:56, Stephen Farrell wrote:
> Stephen Farrell has entered the following ballot position for
> draft-ietf-conex-tcp-modifications-09: No Objection
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> Please refer to
> for more information about IESG DISCUSS and COMMENT positions.
> The document, along with other ballot positions, can be found here:
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> Seems like a fine thing to experiment with. I hope the results
> are interesting.
> The security considerations really ought take into account or at
> least mention potential misbehaviour by middleboxes and also how
> conex might be affected by DoS attacks.