Re: [tcpm] PoC for draft-moncaster-tcpm-rcv-cheat-02

[Pekka Savola <pekkas@netcore.fi>]

On Wed, 26 Mar 2008, Bob Briscoe wrote:
> I'd tend to agree with ROb - publication is unlikely to get the
> solution out there any quicker.

First, I suggest you or someone contact the most interesting vendors 
(some BSD and Linux communities) about this and potentially obtain a 
CVE number.  Fernando Gont might be willing to help with this process 
as he has been through it before.

However, on your main point I disagree; publication of PoC code is 
likely to trigger getting a CVE number, and that is likely to trigger 
some response especially in most security-aware (Linux, BSD) operating 
system vendors.

There is ample evidence that vendors are willing to react even if the 
IETF progress is slow or nonexistent (e.g. ICMP errors draft); there 
is also ample evidence that vendors are not interested in putting (and 
should not be expected to put) the IETF on the critical path of 
shipping a product (or fixing a flaw).

If the issue is not progressing in the IETF, I think it's exactly the 
right thing to do to release the PoC code; it would be nicer to 
contact vendors' security teams first and give them a heads-up e.g. 3 
or 6 months in advance though.

But if you believe this issue is progressing in the IETF, maybe 
publishing the PoC is premature.  If the progress is slow I'd suggest 
contacting vendors' security teams now.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm