Re: [secdir] Collision on changes for draft-ietf-soc-overload-control-14

"Vijay K. Gurbani" <vkg@bell-labs.com> Wed, 19 February 2014 16:18 UTC

Return-Path: <vkg@bell-labs.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E57C1A0249; Wed, 19 Feb 2014 08:18:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mKoBQPyeSZXd; Wed, 19 Feb 2014 08:18:23 -0800 (PST)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by ietfa.amsl.com (Postfix) with ESMTP id EBF7B1A021B; Wed, 19 Feb 2014 08:18:22 -0800 (PST)
Received: from usnavsmail3.ndc.alcatel-lucent.com (usnavsmail3.ndc.alcatel-lucent.com [135.3.39.11]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id s1JGIFKP013062 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 19 Feb 2014 10:18:15 -0600 (CST)
Received: from umail.lucent.com (umail.ndc.lucent.com [135.3.40.61]) by usnavsmail3.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id s1JGIEhB007046 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 19 Feb 2014 10:18:14 -0600
Received: from shoonya.ih.lucent.com (shoonya.ih.lucent.com [135.185.237.229]) by umail.lucent.com (8.13.8/TPES) with ESMTP id s1JGIDfK019210; Wed, 19 Feb 2014 10:18:13 -0600 (CST)
Message-ID: <5304D989.80902@bell-labs.com>
Date: Wed, 19 Feb 2014 10:19:21 -0600
From: "Vijay K. Gurbani" <vkg@bell-labs.com>
Organization: Bell Laboratories, Alcatel-Lucent
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Spencer Dawkins <spencerdawkins.ietf@gmail.com>, "jsalowey@cisco.com" <jsalowey@cisco.com>
References: <5303B709.20407@bell-labs.com> <5303D6BF.6070901@gmail.com>
In-Reply-To: <5303D6BF.6070901@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.11
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/LE7I3XRC0GxzyqyEJOtH358gb4U
Cc: "draft-ietf-soc-overload-control@tools.ietf.org" <draft-ietf-soc-overload-control@tools.ietf.org>, "soc-chairs@tools.ietf.org" <soc-chairs@tools.ietf.org>, IESG IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Collision on changes for draft-ietf-soc-overload-control-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Feb 2014 16:18:25 -0000

On 02/18/2014 03:55 PM, Spencer Dawkins wrote:
[...]
> This is working for me, but the version you and Joe crafted had "make it
> *more* difficult".
>
> I'm hoping not to say anything like "TCP is a great security strategy";
> "more difficult" is more like "TCP is a better security strategy than
> UDP, but ...".
>
> Could you help me understand where that word went?

Spencer: I had excised that word in a pique of editorial discretion
since I thought it was not qualifying anything substantive.  Clearly,
you thought otherwise, and that is perfectly fine.  I will reintroduce
it as follows (plus some minor edits to improve readability):

    Attacks that indicate false overload control are best mitigated by
    using TLS in conjunction with applying BCP 38 [RFC2827]. Attacks
    that are mounted to suppress genuine overload conditions can be
    similarly avoided by using TLS on the connection.  Generally, TCP or
    Websockets [RFC6455] in conjunction with BCP 38 makes it more
    difficult for an attacker to insert or modify messages, but may still
    prove inadequate against an adversary that controls links L1 and
    L2.  TLS provides the best protection from an attacker with access
    to the network links.

Thanks!

- vijay
-- 
Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60563 (USA)
Email: vkg@{bell-labs.com,acm.org} / vijay.gurbani@alcatel-lucent.com
Web: http://ect.bell-labs.com/who/vkg/  | Calendar: http://goo.gl/x3Ogq