[anonsec] 3401 and highjacking
Stephen Kent
kent at bbn.com
Tue Feb 21 08:50:09 PST 2006
At 7:43 AM -0800 2/17/06, Joe Touch wrote:
>Content-Type: multipart/signed; micalg=pgp-sha1;
> protocol="application/pgp-signature";
> boundary="------------enig684BFD82142EDE85608F2E7E"
>
>
>
>Stephen Kent wrote:
>....
>> ...I also said that one could use SSL to address some (though not
>> all) of the use cases that were put forth as motivations for BTNS,
>> but that is out of scope for this WG, based on its current charter.
>
>Since this point has been raised on repeated occasions:
>
>BTNS was motivated by the need to protect the network and transport
>headers. Connection-disruption attacks (RST attacks in specific, which
>also include ACK and other transport header attacks) were
>the primary case, and SSL does not protect against those. The ability to
>reuse techniques across different transport and higher layers was also
>sought, and for SSL again does not apply.
>
>Joe
Joe,
As I noted elsewhere in that message from which you extracted the
quote, there are multiple, distinct constituencies for BTNS. Not all
of them have the requirement you cite above re protection against
transport layer attacks. So, it is inappropriate to make a broad
statement about BTNS motivations without acknowledging this diversity.
Also, SSL/TLS now is defined to support UDP, so the traditional
argument about needing to use IPsec to accommodate other than TCP is
no longer valid.
Steve
More information about the ANONSEC
mailing list