(resend) Problem/Applicability Statement WGLC summary and RFC publication request

Hi,

The -05 version was submitted back in Feb. 13, which
should address the few comments brought up during WGLC
(ended Dec. 4, 2006):

- Wording adjustment in the abstract to cover both
pre-shared
   secret and CA-signed certs for authentication. Re:
   <http://www.postel.org/pipermail/anonsec/200
6-December/000913.html>

- Minor wording changes to regarding TCP-specific mods vs.
HIP. Re:
   <http://www.postel.org/pipermail/anonsec/200
6-December/000915.html>

The full diffs between -04 and -05

<http://too
ls.ietf.org/rfcdiff?url2=http://tools.ietf.org/id/draft-ietf
-btns-prob-and-applic-05.txt>

The authors think the doc is ready and would like to
request
the publication of this doc as RFC.

Thanks,

yushun


_______________________________________________

On Mon, 5 Mar 2007, Yu-Shun Wang wrote:

Hi,

sorry for the late comments, I somehow missed your original
response.

> Hi,
>
> The -05 version was submitted back in Feb. 13, which
> should address the few comments brought up during WGLC
> (ended Dec. 4, 2006):
>
> - Wording adjustment in the abstract to cover both
pre-shared
>   secret and CA-signed certs for authentication. Re:
>   <http://www.postel.org/pipermail/anonsec/200
6-December/000913.html>
>
> - Minor wording changes to regarding TCP-specific mods
vs. HIP. Re:
>   <http://www.postel.org/pipermail/anonsec/200
6-December/000915.html>
>
> The full diffs between -04 and -05
>
> <http://too
ls.ietf.org/rfcdiff?url2=http://tools.ietf.org/id/draft-ietf
-btns-prob-and-applic-05.txt>
>
> The authors think the doc is ready and would like to
request
> the publication of this doc as RFC.

This was my original two-part comment:

> > HIP is mentioned in section 2.2.1 briefly. Perhaps
you could also
> > mention that HIP has implicit channel binding
mechanisms and reference
> > RFC4423, HIP base draft or
draft-ietf-hip-applications-00. In 
> > addition, the claim "such modifications are,
at best, temporary 
> > patches to the ubiquitous vulnerability to
spoofing attacks" requires 
> > some further explanation at least in the context
of HIP.
>
> Agreed with HIP and channel binding part. But IMHO,
these are
> more subtle (you said "implicit" ) points
that probably
> should be covered in the CB doc for more details and
comparison.

The draft addresses my first consern but not the second. The
section that 
I am referring to ends in this words:

   Some of these modifications are new to TCP, but have
already been
   incorporated into other transport protocols (e.g., SCTP)
or intermediate
   (so-called L3.5) protocols (e.g., HIP) [13][18].

and the following section continues:

   The TCP-specific modifications are, at best, temporary
patches to the
   ubiquitous vulnerability to spoofing attacks.

HIP is also based on IPsec, so the implicit suggestion here
that HIP is 
vurnerable to TCP spoofing attacks is untrue. HIP modifies
TCP checksums, 
but this occurs using IPsec. I'd just suggest dropping the
HIP reference 
in the text.

-- 
Miika Komu                                       http://www.iki.fi/miika/

_______________________________________________

On Tue, 6 Mar 2007, Yu-Shun Wang wrote:

>> HIP is also based on IPsec, so the implicit
suggestion here that HIP is 
>> vurnerable to TCP spoofing attacks is untrue. HIP
modifies TCP checksums, 
>> but this occurs using IPsec. I'd just suggest
dropping the HIP reference in 
>> the text.
>
> The new wording specifically says "TCP-specific
modifications"
> which exclude SCTP and HIP, vs. the original text
"Such
> modifications" which can mislead readers regarding
your concern.
> I personally think the new wording is clear enough.
Feel free
> to provide text if you think it's not clear.

Ok, I agree now that the current text is fine.

-- 
Miika Komu                                       http://www.iki.fi/miika/

_______________________________________________

Hi,

Comments below.

Miika Komu wrote:
> On Mon, 5 Mar 2007, Yu-Shun Wang wrote:

<...>

>> - Minor wording changes to regarding TCP-specific
mods vs. HIP. Re:
>>   <http://www.postel.org/pipermail/anonsec/200
6-December/000915.html>
>>
>> The full diffs between -04 and -05
>>
>> <http://too
ls.ietf.org/rfcdiff?url2=http://tools.ietf.org/id/draft-ietf
-btns-prob-and-applic-05.txt> 
>>
>>
>> The authors think the doc is ready and would like
to request
>> the publication of this doc as RFC.
> 
> This was my original two-part comment:

<...>

> The draft addresses my first consern but not the
second. The section 
> that I am referring to ends in this words:
> 
>   Some of these modifications are new to TCP, but have
already been
>   incorporated into other transport protocols (e.g.,
SCTP) or intermediate
>   (so-called L3.5) protocols (e.g., HIP) [13][18].
> 
> and the following section continues:
> 
>   The TCP-specific modifications are, at best,
temporary patches to the
>   ubiquitous vulnerability to spoofing attacks.
> 
> HIP is also based on IPsec, so the implicit suggestion
here that HIP is 
> vurnerable to TCP spoofing attacks is untrue. HIP
modifies TCP 
> checksums, but this occurs using IPsec. I'd just
suggest dropping the 
> HIP reference in the text.

The new wording specifically says "TCP-specific
modifications"
which exclude SCTP and HIP, vs. the original text
"Such
modifications" which can mislead readers regarding your
concern.
I personally think the new wording is clear enough. Feel
free
to provide text if you think it's not clear.

Thanks,

yushun
_______________________________________________