Re: TSVDIR review of draft-ietf-intarea-shared-addressing-issues-02

Fernando Gont <> Thu, 03 February 2011 01:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 69EFF3A65A6; Wed, 2 Feb 2011 17:02:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.521
X-Spam-Status: No, score=-3.521 tagged_above=-999 required=5 tests=[AWL=0.078, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cYtjwnZxzog8; Wed, 2 Feb 2011 17:01:59 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 295693A65A5; Wed, 2 Feb 2011 17:01:59 -0800 (PST)
Received: by gyd12 with SMTP id 12so287103gyd.31 for <multiple recipients>; Wed, 02 Feb 2011 17:05:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:sender:message-id:date:from:user-agent :mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=+VwlH6WJB8cVo20qMv9TQ8jz1ENB3e8Ley1WbLBBRgc=; b=e48AjFCb2gWpHe4GYcQSGXEf/Y13fonUutF6qIvhZnqmP6dP2diYOBoaGIcziQ/Btp owta8zzFe5YnAPZANPLqIBCL7ZCp5ixizbx6Vnb4Da+dgt5UxYSgcKlTii+ds53/pdWe jYv0uEwpsNhs84TAL7rS7S0qV3z7kXaVt3Ngk=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=rNBltDIYh0zZRgDN55ZzfJ8Kq1UOq9x13XRY1nPLkufryeAKoJMWLwlk23W6dUn5PL PpiW9igrF1xY5raePbXdmU1Y0R2J9nuN+BI8GHP2qHz85g9mwEM7fiEi6MR4MszLsDL3 csGPrz3kjPvc1gCf3N57mQntzj7tpDmYyyI8U=
Received: by with SMTP id o17mr20544236yhf.10.1296695119842; Wed, 02 Feb 2011 17:05:19 -0800 (PST)
Received: from [] ( []) by with ESMTPS id 50sm145353yhl.29.2011. (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 02 Feb 2011 17:05:18 -0800 (PST)
Sender: Fernando Gont <>
Message-ID: <>
Date: Wed, 02 Feb 2011 22:04:51 -0300
From: Fernando Gont <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/20100802 Thunderbird/3.1.2
MIME-Version: 1.0
To: Joe Touch <>
Subject: Re: TSVDIR review of draft-ietf-intarea-shared-addressing-issues-02
References: <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.1.1
OpenPGP: id=D076FFF1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "" <>,, IETF discussion list <>, TSV Dir <>
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Feb 2011 01:02:02 -0000

On 02/02/2011 02:38 p.m., Joe Touch wrote:

>>> ?INT? This section is, IMO, odd; IP address never meant physical
>>> location anyway, and tunnels obviate that meaning regardless of the
>>> impact of NATs or other sharing techniques.
>> Agreed. But geo-location is nevertheless widely used for marketing
>> purposes.
> Agreed, but whether it works now is arbitrary; it's not a design
> consideration of the protocols.

Well, the protocols were not designed for production networks, either.
FWIW, geo-location is currently used, and it would be affected by
increased used of NATs.

> At the least, it's worth noting that geolocation is already broken by
> tunnels, and that IP addressing does not ensure geographic proximity
> before attributing breakage on NATs or other sharing.

Tunnels need not break geo-location. -- They do not masquerade the
source address. Or am I missing something?

And, FWIW, I agree that usually lots of breakage is attributed to NATs,
where the brokeness is really somewhere else (e.g., app protocols
passing IP addresses).

>>>> 13.4.  Port Randomisation
>>> ...
>>>>     It should be noted that guessing the port information may not be
>>>>     sufficient to carry out a successful blind attack.   The exact TCP
>>>>     Sequence Number (SN) should also be known.
>>> There are data injection attacks that are possible even without knowing
>>> the exact SN.
>> draft-ietf-tcpm-tcp-security may be of use here.
> rfc5961 is already published and describes the issue in specific, and
> may be more useful as a reference for this.

I disagree. It discusses only TCP-based attacks (there are many other
vectors). If you want an alternative "published" reference, here it is:

However, it's up to the authors to include this or other references -- I
just noted the tcp assessment doc for completeness sake.

Fernando Gont
e-mail: ||
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1