Re: [tcpm] [OPSEC] draft-gont-tcp-security

[Joe Touch <touch@ISI.EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Inline...

> Given that this is opsec and that my major concern is the network elements 
> I am much more concerned about "off-path" or "blind attacks" then direct attacks.
> Customers generally don't attack the router they are connected to.
> Peers generally don't attack the router they are connected to.

Some routers are on shared-access media. Other routers are connected
across unsecured network elements - e.g., to network management
components, etc. On-path doesn't mean directly connected on one hop - it
includes the entire path.

...
>> > I *know* that the only way to secure a protocol is to throw 
>> > crypto at it.
>
> Now I think I understand what you mean by secure.
> I don't agree with your opinion. For example SSL is a form of encryption 
> but has done little to
> secure http as sites have trained customers to ignore cert errors.
> Banks put lock bitmaps on their pages to show how "safe" they are.
> Phishers depend on this user confusion!

Mechanism cannot compensate for users that ignore it.

>> > I also *know* that unexpected packets are *not* indications 
>> > of attacks.
>
> In the router world packets destined towards my routers that are
> "unexpected" are often an indication of attack or a misconfigured
> system either can cause problems for the network and blocking it
> TOWARDS the router is a BCP.

I'm talking about expectations within a TCP connection, or about the
establishment of TCP connections. This doc addresses TCP, not the
Internet in general.

Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAknkrAEACgkQE5f5cImnZrvCuwCgmNXYuIsIz0D3sKZPGPS4s9I/
a4UAn1Y61FP4a45kZdAtGelzTp4ah51O
=Z6sO
-----END PGP SIGNATURE-----