On Oct 28, 2021, at 10:16 AM, Roman Danyliw <r...@cert.org<mailto:r...@cert.org>> wrote:
3. Section 6 says applications should perform “full TCP segment reassembly”. What does that mean? A quick google search doesn’t suggest it’s a well-known term of art. I'm guessing that what you mean is that the applications should capture (and log, etc) the bytestream that was segmented and transmitted by TCP? I'll let the authors speak to this, but I think this means full TCP stream reassembly -- that is analyze, the reassembled stream, not the individual packets. There is a long history of evasion attacks in network security analysis tools when individual fragments/packets are analyzed instead of the reassembled streams. Right, that makes sense. It’s just not at all clear (at least, to me) from the text as written. I think more words will be required in order to make it clear. (Your sentence above seems like a good candidate for cutting and pasting.) Thanks, —John
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop