[LAC-TF] Fwd: [saag] Predictable Numeric Identifiers -- progress?
Fernando Gont
fgont at si6networks.com
Mon Jul 3 20:12:29 BRT 2017
Estimados,
FYI (ver debajo, email forwardeado)
Luego de haber publicado estos I-Ds hace ya un año, IETF continua
publicando especificaciones sin requisitos de seguridad/privacidad
adecuados para los identificadores numericos utilizados.
Uno de los tantos ejemplos es la propia imminente revision de RFC2460
(rfc2460bis), que si bien es mejor que RFC2460, no tiene requisitos de
seguridad respectos de las propiedades de identificadores como el
Fragment ID.
P.S.: Con afecto, de la Iglesia Maradoniana, a la escuela del "Siga,
Siga!" de Francisco "Pancho" Lamolina. :-)
Saludos cordiales,
Fernando
-------- Forwarded Message --------
Subject: [saag] Predictable Numeric Identifiers -- progress?
Date: Mon, 3 Jul 2017 22:49:59 +0300
From: Fernando Gont <fgont at si6networks.com>
To: saag at ietf.org <saag at ietf.org>
CC: privsec-program at iab.org <privsec-program at iab.org>,
iarce at quarkslab.com, secdir at ietf.org <secdir at ietf.org>
Folks,
We have published a revision of a number of I-Ds we had published on the
topic of "security/privacy properties of numeric identifiers", in the
hopes of helping improving the security and privacy properties of the
numeric identifiers employed in IETF protocols.
The main revised I-D is available at:
<https://www.ietf.org/internet-drafts/draft-gont-predictable-numeric-ids-01.txt>
Based on feedback received from SAAG, we have also published the same
content, but split into three stand-alone document (which might be
easier to digest and progress):
* History of flawed numeric identifiers:
<https://www.ietf.org/internet-drafts/draft-gont-numeric-ids-history-02.txt>
* Generation of numeric identifiers:
<https://www.ietf.org/internet-drafts/draft-gont-numeric-ids-generation-01.txt>
* A proposed update to RFC3552, wrt numeric identifiers:
<https://www.ietf.org/internet-drafts/draft-gont-numeric-ids-sec-considerations-01.txt>
The first version of these I-Ds were published one year ago now, and to
some extent were stalled waiting for progress on rfc3552bis. As
expected, rfc3552bis will take time to be published, but the IETF is
still published documents with no proper requirements regarding numeric
I-Ds... which is not a good thing.
At this point we'd like to receive feedback on the topic (whether for
the main/big document, or for the split I-Ds), and also would like to
make progress on these document.
Thoughts?
Thanks!
Best regards,
--
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
_______________________________________________
saag mailing list
saag at ietf.org
https://www.ietf.org/mailman/listinfo/saag
More information about the LACTF
mailing list