[anonsec] 3401 and highjacking

Joe Touch touch at ISI.EDU
Tue Feb 21 11:26:41 PST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Stephen Kent wrote:
> At 7:43 AM -0800 2/17/06, Joe Touch wrote:
> 
>> Content-Type: multipart/signed; micalg=pgp-sha1;
>>     protocol="application/pgp-signature";
>>     boundary="------------enig684BFD82142EDE85608F2E7E"
>>
>>
>>
>> Stephen Kent wrote:
>> ....
>>
>>>  ...I also said that one could use SSL to address some (though not
>>>  all) of the use cases that were put forth as motivations for BTNS,
>>>  but that is out of scope for this WG, based on its current charter.
>>
>>
>> Since this point has been raised on repeated occasions:
>>
>> BTNS was motivated by the need to protect the network and transport
>> headers. Connection-disruption attacks (RST attacks in specific, which
>> also include ACK and other transport header attacks) were
>> the primary case, and SSL does not protect against those. The ability to
>> reuse techniques across different transport and higher layers was also
>> sought, and for SSL again does not apply.
>>
>> Joe
> 
> Joe,
> 
> As I noted elsewhere in that message from which you extracted the quote,
> there are multiple, distinct constituencies for BTNS. Not all of them
> have the requirement you cite above re protection against transport
> layer attacks. So, it is inappropriate to make a broad statement about
> BTNS motivations without acknowledging this diversity.

Whatever BTNS is _now_ motivated by, it WAS motivated by the need for
transport protection in the absence of a-priori keys (infrastructure or
predeployed).

As to the reasons you cited in your original quote:
1- performance
2- security of the software system
3- lower layer can be done elsewhere in the system
3- using BTNS as a place to explore split-layer security

For which of these would SSL address a BTNS use case?

> Also, SSL/TLS now is defined to support UDP, so the traditional argument
> about needing to use IPsec to accommodate other than TCP is no longer
> valid.

There are more transport protocols than just TCP and UDP. See
http://www.iana.org/assignments/protocol-numbers for a complete list ;-)

Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFD+2lxE5f5cImnZrsRAsyIAJ4zGH4/l8wo3b0PJANqKs9BXL+IlACg8PfL
mNbTiDFmMeS9XKceZCuETys=
=2UHC
-----END PGP SIGNATURE-----

More information about the ANONSEC mailing list