Re: [tcpm] PoC for draft-moncaster-tcpm-rcv-cheat-02

Pekka Savola <pekkas@netcore.fi> Wed, 26 March 2008 18:24 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: ietfarch-tcpm-archive@core3.amsl.com
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A6D4A28C6A6; Wed, 26 Mar 2008 11:24:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.473
X-Spam-Level:
X-Spam-Status: No, score=-100.473 tagged_above=-999 required=5 tests=[AWL=-0.036, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r1kwYYypaet2; Wed, 26 Mar 2008 11:24:19 -0700 (PDT)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 50D593A6DB6; Wed, 26 Mar 2008 11:24:19 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0467C3A6DB6 for <tcpm@core3.amsl.com>; Wed, 26 Mar 2008 11:24:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YByjwScXgbf2 for <tcpm@core3.amsl.com>; Wed, 26 Mar 2008 11:24:16 -0700 (PDT)
Received: from netcore.fi (eunet-gw.ipv6.netcore.fi [IPv6:2001:670:86:3001::1]) by core3.amsl.com (Postfix) with ESMTP id 77A9C3A6B60 for <tcpm@ietf.org>; Wed, 26 Mar 2008 11:24:16 -0700 (PDT)
Received: from netcore.fi (localhost [127.0.0.1]) by netcore.fi (8.13.8/8.13.8) with ESMTP id m2QILpb4028114; Wed, 26 Mar 2008 20:21:51 +0200
Received: from localhost (pekkas@localhost) by netcore.fi (8.13.8/8.13.8/Submit) with ESMTP id m2QILoDD028111; Wed, 26 Mar 2008 20:21:50 +0200
Date: Wed, 26 Mar 2008 20:21:49 +0200 (EET)
From: Pekka Savola <pekkas@netcore.fi>
To: Bob Briscoe <rbriscoe@jungle.bt.co.uk>
In-Reply-To: <200803261438.m2QEchkI001007@bagheera.jungle.bt.co.uk>
Message-ID: <alpine.LRH.1.10.0803262012190.27746@netcore.fi>
References: <200803260029.33658.v13@v13.gr> <20080326042515.GD24842@cs.umd.edu> <200803261438.m2QEchkI001007@bagheera.jungle.bt.co.uk>
User-Agent: Alpine 1.10 (LRH 962 2008-03-14)
MIME-Version: 1.0
X-Virus-Scanned: ClamAV 0.92.1/6391/Tue Mar 25 12:09:55 2008 on otso.netcore.fi
X-Virus-Status: Clean
Cc: tcpm@ietf.org
Subject: Re: [tcpm] PoC for draft-moncaster-tcpm-rcv-cheat-02
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

On Wed, 26 Mar 2008, Bob Briscoe wrote:
> I'd tend to agree with ROb - publication is unlikely to get the
> solution out there any quicker.

First, I suggest you or someone contact the most interesting vendors 
(some BSD and Linux communities) about this and potentially obtain a 
CVE number.  Fernando Gont might be willing to help with this process 
as he has been through it before.

However, on your main point I disagree; publication of PoC code is 
likely to trigger getting a CVE number, and that is likely to trigger 
some response especially in most security-aware (Linux, BSD) operating 
system vendors.

There is ample evidence that vendors are willing to react even if the 
IETF progress is slow or nonexistent (e.g. ICMP errors draft); there 
is also ample evidence that vendors are not interested in putting (and 
should not be expected to put) the IETF on the critical path of 
shipping a product (or fixing a flaw).

If the issue is not progressing in the IETF, I think it's exactly the 
right thing to do to release the PoC code; it would be nicer to 
contact vendors' security teams first and give them a heads-up e.g. 3 
or 6 months in advance though.

But if you believe this issue is progressing in the IETF, maybe 
publishing the PoC is premature.  If the progress is slow I'd suggest 
contacting vendors' security teams now.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm