Re: [secdir] Collision on changes for draft-ietf-soc-overload-control-14
"Vijay K. Gurbani" <vkg@bell-labs.com> Wed, 19 February 2014 16:18 UTC
Return-Path: <vkg@bell-labs.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E57C1A0249; Wed, 19 Feb 2014 08:18:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mKoBQPyeSZXd; Wed, 19 Feb 2014 08:18:23 -0800 (PST)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by ietfa.amsl.com (Postfix) with ESMTP id EBF7B1A021B; Wed, 19 Feb 2014 08:18:22 -0800 (PST)
Received: from usnavsmail3.ndc.alcatel-lucent.com (usnavsmail3.ndc.alcatel-lucent.com [135.3.39.11]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id s1JGIFKP013062 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 19 Feb 2014 10:18:15 -0600 (CST)
Received: from umail.lucent.com (umail.ndc.lucent.com [135.3.40.61]) by usnavsmail3.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id s1JGIEhB007046 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 19 Feb 2014 10:18:14 -0600
Received: from shoonya.ih.lucent.com (shoonya.ih.lucent.com [135.185.237.229]) by umail.lucent.com (8.13.8/TPES) with ESMTP id s1JGIDfK019210; Wed, 19 Feb 2014 10:18:13 -0600 (CST)
Message-ID: <5304D989.80902@bell-labs.com>
Date: Wed, 19 Feb 2014 10:19:21 -0600
From: "Vijay K. Gurbani" <vkg@bell-labs.com>
Organization: Bell Laboratories, Alcatel-Lucent
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Spencer Dawkins <spencerdawkins.ietf@gmail.com>, "jsalowey@cisco.com" <jsalowey@cisco.com>
References: <5303B709.20407@bell-labs.com> <5303D6BF.6070901@gmail.com>
In-Reply-To: <5303D6BF.6070901@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.11
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/LE7I3XRC0GxzyqyEJOtH358gb4U
Cc: "draft-ietf-soc-overload-control@tools.ietf.org" <draft-ietf-soc-overload-control@tools.ietf.org>, "soc-chairs@tools.ietf.org" <soc-chairs@tools.ietf.org>, IESG IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Collision on changes for draft-ietf-soc-overload-control-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Feb 2014 16:18:25 -0000
On 02/18/2014 03:55 PM, Spencer Dawkins wrote: [...] > This is working for me, but the version you and Joe crafted had "make it > *more* difficult". > > I'm hoping not to say anything like "TCP is a great security strategy"; > "more difficult" is more like "TCP is a better security strategy than > UDP, but ...". > > Could you help me understand where that word went? Spencer: I had excised that word in a pique of editorial discretion since I thought it was not qualifying anything substantive. Clearly, you thought otherwise, and that is perfectly fine. I will reintroduce it as follows (plus some minor edits to improve readability): Attacks that indicate false overload control are best mitigated by using TLS in conjunction with applying BCP 38 [RFC2827]. Attacks that are mounted to suppress genuine overload conditions can be similarly avoided by using TLS on the connection. Generally, TCP or Websockets [RFC6455] in conjunction with BCP 38 makes it more difficult for an attacker to insert or modify messages, but may still prove inadequate against an adversary that controls links L1 and L2. TLS provides the best protection from an attacker with access to the network links. Thanks! - vijay -- Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent 1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60563 (USA) Email: vkg@{bell-labs.com,acm.org} / vijay.gurbani@alcatel-lucent.com Web: http://ect.bell-labs.com/who/vkg/ | Calendar: http://goo.gl/x3Ogq
- [secdir] Collision on changes for draft-ietf-soc-… Vijay K. Gurbani
- Re: [secdir] Collision on changes for draft-ietf-… Vijay K. Gurbani
- Re: [secdir] Collision on changes for draft-ietf-… Spencer Dawkins
- Re: [secdir] Collision on changes for draft-ietf-… Spencer Dawkins