Re: [Last-Call] Last Call: <draft-gont-numeric-ids-sec-considerations-06.txt> (Security Considerations for Transient Numeric Identifiers Employed in Network Protocols) to Best Current Practice
Russ Housley <housley@vigilsec.com> Wed, 09 December 2020 21:24 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1B913A11B4 for <last-call@ietfa.amsl.com>; Wed, 9 Dec 2020 13:24:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KTanht8TzE_2 for <last-call@ietfa.amsl.com>; Wed, 9 Dec 2020 13:24:49 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5355A3A11A2 for <last-call@ietf.org>; Wed, 9 Dec 2020 13:24:49 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id EC156300BB9 for <last-call@ietf.org>; Wed, 9 Dec 2020 16:24:46 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 7LqzLxcYQC0D for <last-call@ietf.org>; Wed, 9 Dec 2020 16:24:45 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id F2F0A300A9E; Wed, 9 Dec 2020 16:24:44 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <20201209211455.GZ64351@kduck.mit.edu>
Date: Wed, 09 Dec 2020 16:24:46 -0500
Cc: last-call@ietf.org, draft-gont-numeric-ids-sec-considerations@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <327D2176-1722-4F83-9ED1-205C575D67E6@vigilsec.com>
References: <160735373732.25981.15176977559155786235@ietfa.amsl.com> <F438198F-34E2-4C9F-A32F-ACD58D9A6734@vigilsec.com> <20201209211455.GZ64351@kduck.mit.edu>
To: Ben Kaduk <kaduk@mit.edu>
X-Mailer: Apple Mail (2.3445.104.17)
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/eveLaFtzpOsq1f-g3OZRlPU2zGg>
Subject: Re: [Last-Call] Last Call: <draft-gont-numeric-ids-sec-considerations-06.txt> (Security Considerations for Transient Numeric Identifiers Employed in Network Protocols) to Best Current Practice
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2020 21:24:52 -0000
> On Dec 9, 2020, at 4:14 PM, Benjamin Kaduk <kaduk@mit.edu> wrote: > > Hi Russ, > > Thanks for the comments. > > On Wed, Dec 09, 2020 at 04:09:07PM -0500, Russ Housley wrote: >> I have to comments. >> >> 1) I do not see this document as a BCP. Despite the inclusion of the boilerplate, there is not a single MUST in the document. I have no objection to an Informational RFC. > > The assumption/expectation was that this would become part of BCP 72 along > with RFC 3552. Do you think it should be a standalone document, or can you > propose normative language that would make it more appropriate as a BCP? I'd advise an Informational document. I think an additional section with normative text would be needed or additional normative paragraphs after each of the problem descriptions would be needed. > >> 2) The document is really about transient identifiers. It does not only apply to ones that are numeric. > > That's probably true. Numeric identifiers have some additional > properties/structure that have specific considerations, but the core > concerns do apply to non-numeric identifiers as well. (Proposed text would > be wonderful, of course.) I looked at several sentences, and I think that just dropping "numeric" is a fine solution. Russ > > Thanks again, > > Ben > >> >>> On Dec 7, 2020, at 10:08 AM, The IESG <iesg-secretary@ietf.org> wrote: >>> >>> >>> The IESG has received a request from an individual submitter to consider the >>> following document: - 'Security Considerations for Transient Numeric >>> Identifiers Employed in >>> Network Protocols' >>> <draft-gont-numeric-ids-sec-considerations-06.txt> as Best Current Practice >>> >>> The IESG plans to make a decision in the next few weeks, and solicits final >>> comments on this action. Please send substantive comments to the >>> last-call@ietf.org mailing lists by 2021-01-04. Exceptionally, comments may >>> be sent to iesg@ietf.org instead. In either case, please retain the beginning >>> of the Subject line to allow automated sorting. >>> >>> Abstract >>> >>> >>> Poor selection of transient numerical identifiers in protocols such >>> as the TCP/IP suite has historically led to a number of attacks on >>> implementations, ranging from Denial of Service (DoS) to data >>> injection and information leakage that can be exploited by pervasive >>> monitoring. To prevent such flaws in future protocols and >>> implementations, this document updates RFC 3552, requiring future >>> RFCs to contain analysis of the security and privacy properties of >>> any transient numeric identifiers specified by the protocol. >> >> -- >> last-call mailing list >> last-call@ietf.org >> https://www.ietf.org/mailman/listinfo/last-call
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Joe Touch
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Russ Housley
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Benjamin Kaduk
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Russ Housley
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Eliot Lear
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Eliot Lear
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Russ Housley
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Russ Housley
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Iván Arce (Quarkslab)
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Russ Housley
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Eric Rescorla
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Iván Arce (Quarkslab)
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Eric Rescorla
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Eric Rescorla
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Benjamin Kaduk
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Benjamin Kaduk
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Iván Arce (Quarkslab)
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Joseph Touch
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Iván Arce (Quarkslab)
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Russ Housley
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Joseph Touch
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Christian Huitema
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Iván Arce (Quarkslab)
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Christian Huitema
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Christian Huitema
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Martin Thomson
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- [Last-Call] Fwd: Re: Last Call: <draft-gont-numer… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Martin Thomson
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Martin Thomson
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Iván Arce (Quarkslab)
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Joseph Touch
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Ted Lemon
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Joseph Touch
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Ted Lemon
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Joe Touch
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Joe Touch
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Joseph Touch
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Joseph Touch
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Iván Arce (Quarkslab)
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Christian Huitema
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Iván Arce (Quarkslab)
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Iván Arce (Quarkslab)
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Theo de Raadt
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Eric Rescorla
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Paul Wouters
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Paul Wouters
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont
- Re: [Last-Call] Last Call: <draft-gont-numeric-id… Fernando Gont