[anonsec] (resend) Problem/Applicability Statement WGLC summary and RFC publication request

Miika Komu miika at iki.fi
Mon Mar 5 23:42:25 PST 2007 

On Mon, 5 Mar 2007, Yu-Shun Wang wrote:

Hi,

sorry for the late comments, I somehow missed your original response.

> Hi,
>
> The -05 version was submitted back in Feb. 13, which
> should address the few comments brought up during WGLC
> (ended Dec. 4, 2006):
>
> - Wording adjustment in the abstract to cover both pre-shared
>   secret and CA-signed certs for authentication. Re:
>   <http://www.postel.org/pipermail/anonsec/2006-December/000913.html>
>
> - Minor wording changes to regarding TCP-specific mods vs. HIP. Re:
>   <http://www.postel.org/pipermail/anonsec/2006-December/000915.html>
>
> The full diffs between -04 and -05
>
> <http://tools.ietf.org/rfcdiff?url2=http://tools.ietf.org/id/draft-ietf-btns-prob-and-applic-05.txt>
>
> The authors think the doc is ready and would like to request
> the publication of this doc as RFC.

This was my original two-part comment:

> > HIP is mentioned in section 2.2.1 briefly. Perhaps you could also
> > mention that HIP has implicit channel binding mechanisms and reference
> > RFC4423, HIP base draft or draft-ietf-hip-applications-00. In 
> > addition, the claim "such modifications are, at best, temporary 
> > patches to the ubiquitous vulnerability to spoofing attacks" requires 
> > some further explanation at least in the context of HIP.
>
> Agreed with HIP and channel binding part. But IMHO, these are
> more subtle (you said "implicit" :-)) points that probably
> should be covered in the CB doc for more details and comparison.

The draft addresses my first consern but not the second. The section that 
I am referring to ends in this words:

   Some of these modifications are new to TCP, but have already been
   incorporated into other transport protocols (e.g., SCTP) or intermediate
   (so-called L3.5) protocols (e.g., HIP) [13][18].

and the following section continues:

   The TCP-specific modifications are, at best, temporary patches to the
   ubiquitous vulnerability to spoofing attacks.

HIP is also based on IPsec, so the implicit suggestion here that HIP is 
vurnerable to TCP spoofing attacks is untrue. HIP modifies TCP checksums, 
but this occurs using IPsec. I'd just suggest dropping the HIP reference 
in the text.

-- 
Miika Komu                                       http://www.iki.fi/miika/

More information about the ANONSEC mailing list