One small comment below > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Richard Alimi > Sent: Wednesday, March 13, 2013 6:33 AM > To: Hannes Tschofenig > Cc: [email protected] > Subject: Re: [alto] Security
[...] > The draft also has this text in the Manageability > Considerations section: > > > > Operators providing an ALTO Server should ensure that appropriate > information is being exposed. Privacy implications for ISPs are > discussed in Section 13.1 > <http://tools.ietf.org/html/draft-ietf-alto-protocol-14#sectio > n-13.1> . Both operators and ALTO Servers and those > using ALTO Clients should be aware of the impact of incorrect or > faked guidance (see Section 10.3 of > [I-D.ietf-alto-deployments > <http://tools.ietf.org/html/draft-ietf-alto-protocol-14#ref-I- > D.ietf-alto-deployments> ] and > future versions of that document). > > As far as attacking the discovery mechanism, yes an attacker > may wish to do that. I believe that something that should be > addressed in the server-discovery document (and its security > considerations) but not in the protocol document. Section 6.1 http://tools.ietf.org/html/draft-ietf-alto-server-discovery-07 has some text on this attack. One could refer to that from the protocol draft security considerations. Michael _______________________________________________ alto mailing list [email protected] https://www.ietf.org/mailman/listinfo/alto
