That was my attempt at using the random lottery. I like using the issue page better for input. Also, I prefer reading the html version of the RFC from the IETF tools page. Maybe the lottery should just give you a suggestion of an RFC number…
From: ietf-privacy [mailto:[email protected]] On Behalf Of Christian Huitema Sent: Wednesday, May 21, 2014 9:10 PM To: [email protected] Subject: [ietf-privacy] PPM Review of RFC 1108 This RFC defines an IP header option for "security options." The options enable hosts to mark their traffic as belonging to a particular security level. Presumably, secure routers will ensure that traffic marked with a specific security option is contained within a network that meets the corresponding security requirements. The RFC was written in 1988, before we started writing security considerations in RFC. A security consideration section would probably have listed the two major issues with the option, use by unauthorized hosts and use in unsecure networks. If a network allows for traffic from both secure and unsecure sources, unsecure sources can easily insert spoof IP addresses and insert options in the IP header. This could be used for sending attack packets to secure system, despite attempts at compartmenting the network. Ping of death and variants come to mind. A mobile host that is allowed to send secure traffic may inadvertently visit an insecure network. In that case, using the option provides for easy identification of the host as a potential target. Mobile hosts were not common in 1988, and this threat was not envisaged in the RFC. This was then. By now, IP options are very rarely used. The RFC should probably be reclassified as historic.
_______________________________________________ ietf-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-privacy
