Discussion:
[anonsec] (resend) Problem/Applicability Statement WGLC summary and RFC publication request
Yu-Shun Wang
2007-03-06 01:53:42 UTC
Permalink
Hi,

The -05 version was submitted back in Feb. 13, which
should address the few comments brought up during WGLC
(ended Dec. 4, 2006):

- Wording adjustment in the abstract to cover both pre-shared
secret and CA-signed certs for authentication. Re:
<http://www.postel.org/pipermail/anonsec/2006-December/000913.html>

- Minor wording changes to regarding TCP-specific mods vs. HIP. Re:
<http://www.postel.org/pipermail/anonsec/2006-December/000915.html>

The full diffs between -04 and -05

<http://tools.ietf.org/rfcdiff?url2=http://tools.ietf.org/id/draft-ietf-btns-prob-and-applic-05.txt>

The authors think the doc is ready and would like to request
the publication of this doc as RFC.

Thanks,

yushun
Miika Komu
2007-03-06 07:42:25 UTC
Permalink
On Mon, 5 Mar 2007, Yu-Shun Wang wrote:

Hi,

sorry for the late comments, I somehow missed your original response.
Post by Yu-Shun Wang
Hi,
The -05 version was submitted back in Feb. 13, which
should address the few comments brought up during WGLC
- Wording adjustment in the abstract to cover both pre-shared
<http://www.postel.org/pipermail/anonsec/2006-December/000913.html>
<http://www.postel.org/pipermail/anonsec/2006-December/000915.html>
The full diffs between -04 and -05
<http://tools.ietf.org/rfcdiff?url2=http://tools.ietf.org/id/draft-ietf-btns-prob-and-applic-05.txt>
The authors think the doc is ready and would like to request
the publication of this doc as RFC.
HIP is mentioned in section 2.2.1 briefly. Perhaps you could also
mention that HIP has implicit channel binding mechanisms and reference
RFC4423, HIP base draft or draft-ietf-hip-applications-00. In
addition, the claim "such modifications are, at best, temporary
patches to the ubiquitous vulnerability to spoofing attacks" requires
some further explanation at least in the context of HIP.
Agreed with HIP and channel binding part. But IMHO, these are
more subtle (you said "implicit" :-)) points that probably
should be covered in the CB doc for more details and comparison.
The draft addresses my first consern but not the second. The section that
I am referring to ends in this words:

Some of these modifications are new to TCP, but have already been
incorporated into other transport protocols (e.g., SCTP) or intermediate
(so-called L3.5) protocols (e.g., HIP) [13][18].

and the following section continues:

The TCP-specific modifications are, at best, temporary patches to the
ubiquitous vulnerability to spoofing attacks.

HIP is also based on IPsec, so the implicit suggestion here that HIP is
vurnerable to TCP spoofing attacks is untrue. HIP modifies TCP checksums,
but this occurs using IPsec. I'd just suggest dropping the HIP reference
in the text.
--
Miika Komu http://www.iki.fi/miika/
Yu-Shun Wang
2007-03-06 16:19:06 UTC
Permalink
Hi,

Comments below.
<...>
Post by Miika Komu
Post by Yu-Shun Wang
<http://www.postel.org/pipermail/anonsec/2006-December/000915.html>
The full diffs between -04 and -05
<http://tools.ietf.org/rfcdiff?url2=http://tools.ietf.org/id/draft-ietf-btns-prob-and-applic-05.txt>
The authors think the doc is ready and would like to request
the publication of this doc as RFC.
<...>
Post by Miika Komu
The draft addresses my first consern but not the second. The section
Some of these modifications are new to TCP, but have already been
incorporated into other transport protocols (e.g., SCTP) or intermediate
(so-called L3.5) protocols (e.g., HIP) [13][18].
The TCP-specific modifications are, at best, temporary patches to the
ubiquitous vulnerability to spoofing attacks.
HIP is also based on IPsec, so the implicit suggestion here that HIP is
vurnerable to TCP spoofing attacks is untrue. HIP modifies TCP
checksums, but this occurs using IPsec. I'd just suggest dropping the
HIP reference in the text.
The new wording specifically says "TCP-specific modifications"
which exclude SCTP and HIP, vs. the original text "Such
modifications" which can mislead readers regarding your concern.
I personally think the new wording is clear enough. Feel free
to provide text if you think it's not clear.

Thanks,

yushun
Miika Komu
2007-03-06 16:25:19 UTC
Permalink
Post by Yu-Shun Wang
Post by Miika Komu
HIP is also based on IPsec, so the implicit suggestion here that HIP is
vurnerable to TCP spoofing attacks is untrue. HIP modifies TCP checksums,
but this occurs using IPsec. I'd just suggest dropping the HIP reference in
the text.
The new wording specifically says "TCP-specific modifications"
which exclude SCTP and HIP, vs. the original text "Such
modifications" which can mislead readers regarding your concern.
I personally think the new wording is clear enough. Feel free
to provide text if you think it's not clear.
Ok, I agree now that the current text is fine.
--
Miika Komu http://www.iki.fi/miika/
Julien Laganier
2007-03-07 09:40:01 UTC
Permalink
Folks,

If nobody objects to publication of
draft-ietf-btns-prob-and-applic as an informational
RFC before March 21st, we will submit the draft to the
IESG.

Best,

--julien, BTNS co-chair
Post by Yu-Shun Wang
Hi,
The -05 version was submitted back in Feb. 13, which
should address the few comments brought up during
- Wording adjustment in the abstract to cover both
pre-shared secret and CA-signed certs for
<http://www.postel.org/pipermail/anonsec/2006-Decemb
er/000913.html>
- Minor wording changes to regarding TCP-specific
<http://www.postel.org/pipermail/anonsec/2006-Decemb
er/000915.html>
The full diffs between -04 and -05
<http://tools.ietf.org/rfcdiff?url2=http://tools.iet
f.org/id/draft-ietf-btns-prob-and-applic-05.txt>
The authors think the doc is ready and would like to
request the publication of this doc as RFC.
Thanks,
yushun
_______________________________________________
Loading...