[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OPSEC] [tcpm] draft-gont-tcp-security
- To: "Smith, Donald" <Donald.Smith at qwest.com>
- Subject: Re: [OPSEC] [tcpm] draft-gont-tcp-security
- From: Joe Touch <touch at ISI.EDU>
- Date: Tue, 14 Apr 2009 08:30:09 -0700
- Cc: "'tcpm at ietf.org'" <tcpm at ietf.org>, "'ietf at ietf.org'" <ietf at ietf.org>, 'Joe Abley' <jabley at ca.afilias.info>, "'opsec at ietf.org'" <opsec at ietf.org>, 'Lars Eggert' <lars.eggert at nokia.com>, "'Eddy, Wesley M. \(GRC-RCN0\)\[Verizon\]'" <wesley.m.eddy at nasa.gov>
- Delivered-to: opsec at core3.amsl.com
- In-reply-to: <B01905DA0C7CDC478F42870679DF0F1004BC41775B at qtdenexmbm24.AD.QINTRA.COM>
- List-archive: <http://www.ietf.org/mail-archive/web/opsec>
- List-help: <mailto:opsec-request@ietf.org?subject=help>
- List-id: opsec wg mailing list <opsec.ietf.org>
- List-post: <mailto:opsec@ietf.org>
- List-subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
- List-unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
- References: <C304DB494AC0C04C87C6A6E2FF5603DB221318F5E8 at NDJSSCC01.ndc.nasa.g ov><49E36AB9.40507 at isi.edu> <49E384E9.1050106 at gont.com.ar><49E3878C.9080200 at isi.edu> <49E39119.1060902 at gont.com.ar> <49E3A856.9020703 at isi.edu> <B01905DA0C7CDC478F42870679DF0F1004BC41775B at qtdenexmbm24.AD.QINTRA.COM>
- User-agent: Thunderbird 2.0.0.21 (Windows/20090302)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Inline...
> Given that this is opsec and that my major concern is the network elements
> I am much more concerned about "off-path" or "blind attacks" then direct attacks.
> Customers generally don't attack the router they are connected to.
> Peers generally don't attack the router they are connected to.
Some routers are on shared-access media. Other routers are connected
across unsecured network elements - e.g., to network management
components, etc. On-path doesn't mean directly connected on one hop - it
includes the entire path.
...
>> > I *know* that the only way to secure a protocol is to throw
>> > crypto at it.
>
> Now I think I understand what you mean by secure.
> I don't agree with your opinion. For example SSL is a form of encryption
> but has done little to
> secure http as sites have trained customers to ignore cert errors.
> Banks put lock bitmaps on their pages to show how "safe" they are.
> Phishers depend on this user confusion!
Mechanism cannot compensate for users that ignore it.
>> > I also *know* that unexpected packets are *not* indications
>> > of attacks.
>
> In the router world packets destined towards my routers that are
> "unexpected" are often an indication of attack or a misconfigured
> system either can cause problems for the network and blocking it
> TOWARDS the router is a BCP.
I'm talking about expectations within a TCP connection, or about the
establishment of TCP connections. This doc addresses TCP, not the
Internet in general.
Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAknkrAEACgkQE5f5cImnZrvCuwCgmNXYuIsIz0D3sKZPGPS4s9I/
a4UAn1Y61FP4a45kZdAtGelzTp4ah51O
=Z6sO
-----END PGP SIGNATURE-----