Re: [IPsec] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

Hi Tero, > -Original Message- > From: Tero Kivinen [mailto:kivi...@iki.fi] > Sent: Monday, May 30, 2022 10:26 PM > To: Valery Smyslov > Cc: 'Christian Huitema'; sec...@ietf.org; > draft-ietf-ipsecme-rfc8229bis@ietf.org; ipsec@ietf.org; last- > c...@ietf.org > Subject: RE: Secdir last

Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

Hi Joe, From: to...@strayalpha.com [mailto:to...@strayalpha.com] Sent: Monday, May 30, 2022 10:57 PM To: Tero Kivinen Cc: Valery Smyslov; Christian Huitema; sec...@ietf.org; draft-ietf-ipsecme-rfc8229bis@ietf.org; ipsec@ietf.org; last-c...@ietf.org Subject: Re: [Last-Call] Secdir last cal

Re: [IPsec] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

Valery Smyslov writes: > Agree, that's what is in the suggested text: > >o if an attacker alters the content of the Length field that > separates packets, then the receiver will incorrectly identify the > margins of the following packets and will drop all of them or even > t

Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

On May 31, 2022, at 8:29 AM, Tero Kivinen wrote: > > I think we should tear down the TCP stream immediately if we detect > that length bytes can't be correct. If that’s the case, then you’re opening up this approach to a much lower bar to attacks. It would be significantly more useful to find

Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

Some notes below... > On May 31, 2022, at 4:14 AM, Valery Smyslov wrote: > > Hi Joe, > > From: to...@strayalpha.com [mailto:to...@strayalpha.com] > Sent: Monday, May 30, 2022 10:57 PM > To: Tero Kivinen > Cc: Valery Smyslov; Christian Huitema; sec...@ietf.org; > draft-ietf-ipsecme-rfc8229bis

Re: [IPsec] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

Hi Tero, > Valery Smyslov writes: > > Agree, that's what is in the suggested text: > > > >o if an attacker alters the content of the Length field that > > separates packets, then the receiver will incorrectly identify the > > margins of the following packets and will drop all of t

Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

Hi Joe, From: to...@strayalpha.com [mailto:to...@strayalpha.com] Sent: Tuesday, May 31, 2022 7:12 PM To: Tero Kivinen Cc: Valery Smyslov; Christian Huitema; sec...@ietf.org; draft-ietf-ipsecme-rfc8229bis@ietf.org; ipsec@ietf.org; last-c...@ietf.org Subject: Re: [Last-Call] [IPsec] Secdir

Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

On 5/30/2022 8:20 AM, to...@strayalpha.com wrote: On May 30, 2022, at 8:00 AM, Christian Huitema wrote: The bar against TCP injection attacks might be lower than you think. An attacker that sees the traffic can easily inject TCP packet with sequence number that fit in the flow control window

[IPsec] Genart last call review of draft-ietf-ipsecme-rfc8229bis-06

Reviewer: Reese Enghardt Review result: Ready with Nits I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For mor

Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

On 5/30/2022 8:28 AM, Valery Smyslov wrote: Hi Joe, Christian, ... I suggest we add the following text to the Security considerations: TCP data injection attacks have no effect on application data since IPsec provides data integrity. However, they can