Re: [tcpm] feedcback on tcp-secure-05: suggested text
Ted Faber <faber@ISI.EDU> Wed, 19 July 2006 00:59 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G30Pl-0002V0-21; Tue, 18 Jul 2006 20:59:49 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G30Pk-0002Uu-1J for tcpm@ietf.org; Tue, 18 Jul 2006 20:59:48 -0400
Received: from boreas.isi.edu ([128.9.160.161]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G30Ph-0005pN-KK for tcpm@ietf.org; Tue, 18 Jul 2006 20:59:48 -0400
Received: from hut.isi.edu (hut.isi.edu [128.9.168.160]) by boreas.isi.edu (8.11.6p2+0917/8.11.2) with ESMTP id k6J0wCu15657; Tue, 18 Jul 2006 17:58:12 -0700 (PDT)
Received: (from faber@localhost) by hut.isi.edu (8.13.7/8.13.7/Submit) id k6J0wC5w096778; Tue, 18 Jul 2006 17:58:12 -0700 (PDT) (envelope-from faber)
Date: Tue, 18 Jul 2006 17:58:12 -0700
From: Ted Faber <faber@ISI.EDU>
To: Fernando Gont <fernando@gont.com.ar>
Subject: Re: [tcpm] feedcback on tcp-secure-05: suggested text
Message-ID: <20060719005812.GW50683@hut.isi.edu>
References: <7.0.1.0.0.20060715162015.085dce90@gont.com.ar> <44BB1965.9070305@isi.edu> <20060717180238.GE38453@hut.isi.edu> <20060718181852.GC50683@hut.isi.edu> <44BD430B.50401@cisco.com> <7.0.1.0.0.20060718174534.04c68e68@gont.com.ar> <20060718212301.GE50683@hut.isi.edu> <7.0.1.0.0.20060718201549.04c5bb78@gont.com.ar> <20060719000728.GT50683@hut.isi.edu> <7.0.1.0.0.20060718211858.05384d00@gont.com.ar>
Mime-Version: 1.0
In-Reply-To: <7.0.1.0.0.20060718211858.05384d00@gont.com.ar>
User-Agent: Mutt/1.4.2.1i
X-url: http://www.isi.edu/~faber
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: faber@hut.isi.edu
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d0bdc596f8dd1c226c458f0b4df27a88
Cc: Randall Stewart <rrs@cisco.com>, tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============2096870777=="
Errors-To: tcpm-bounces@ietf.org
On Tue, Jul 18, 2006 at 09:37:28PM -0300, Fernando Gont wrote: > At 21:07 18/07/2006, Ted Faber wrote: > > >On Tue, Jul 18, 2006 at 08:32:01PM -0300, Fernando Gont wrote: > >> RFC 4301 never states that ICMP messages should be filtered. And its > >> clear from this last paragraph that a number of behaviours (including > >> "act on it with constraints") are among the possibilities. > > > >Fine. Try the attached. > > > >I'm happy to add an explicit reference to the attacks draft if it can be > >phrased in such a way that it does not link the publication of the two. > >Feel free to send text. > > I'd change the text to: > > "Implementors should be aware that the attacks detailed in this > specification are not the only attacks available to an off-path attacker > and that the countermeasures described herein are not a comprehensive > defense against such attacks. > > In particular, administrators should be aware that forged ICMP messages > provide off-path attackers the opportunity to disrupt connections or > degrade service. Such packets may be subject to even less scrutiny than > those required for the TCP attacks addressed here, especially in > stacks not tuned for > hostile environments. > > This RFC details only part of a complete strategy to > prevent off-path attackers from disrupting services that use TCP. > Administrators and implementors should consider the other attack vectors > and determine appropriate mitigations in securing their systems. > > [antispoof] provides a detailed discussion of TCP attacks based on > forged TCP segments, along with > a discussion on the possible counter-measures. [ICMP-attacks] > provides a detailed discussion on TCP attacks based > on forged ICMP packets, along with the possible counter-measures." > > > Note that I basically removed text, and added references. And that > the references are included in a way in which there's no "requirement". As long as neither of those refs imposes dependencies on tcpsecure, I'm delighted with the text. -- Ted Faber http://www.isi.edu/~faber PGP: http://www.isi.edu/~faber/pubkeys.asc Unexpected attachment on this mail? See http://www.isi.edu/~faber/FAQ.html#SIG
_______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05 Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Ted Faber
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Mitesh Dalal (mdalal)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch
- Re: [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch