Rifaat, Thanks for your reading of the document.
The security section has a paragraph that begins: """ An attacker with the ability to inject DHCP messages or RAs could include an option from this document to force users to contact an address of his choosing. As an attacker with this capability could simply list himself as the default gateway (and so intercept all the victim's traffic); this does not provide them with significantly more capabilities, but because this document removes the need for interception, the attacker may have an easier time performing the attack... """ Do you have any specific ideas for what text might be added to clarify vis. your concern? Would a sentence that captures your "the use of TLS and presenting the identity in the certificate might not be of much help" observation suffice? Thanks, -Erik On Fri, 1 May 2020 at 05:10, Rifaat Shekh-Yusef via Datatracker < nore...@ietf.org> wrote: > Reviewer: Rifaat Shekh-Yusef > Review result: Has Issues > > Since the use of IP address literal is not forbidden by this document, > what if > an attacker with the ability to inject DHCP messages or RAs uses this > option > to force the user to contact an IP address of his choosing? In this case, > the use > of TLS and presenting the identity in the certificate might not be of much > help. > > I think this case should be discussed in the security consideration > section. > > >
_______________________________________________ Captive-portals mailing list Captive-portals@ietf.org https://www.ietf.org/mailman/listinfo/captive-portals
