Sent from my iPad
> On May 21, 2014, at 9:47 PM, Christian Huitema <huit...@microsoft.com> wrote: > > This RFC defines an IP header option for "security options." The options > enable hosts to mark their traffic as belonging to a particular security > level. Presumably, secure routers will ensure that traffic marked with a > specific security option is contained within a network that meets the > corresponding security requirements. > > The RFC was written in 1988, before we started writing security > considerations in RFC. A security consideration section would probably have > listed the two major issues with the option, use by unauthorized hosts and > use in unsecure networks. > And the security implications of a "look at me!" flag? > If a network allows for traffic from both secure and unsecure sources, > unsecure sources can easily insert spoof IP addresses and insert options in > the IP header. This could be used for sending attack packets to secure > system, despite attempts at compartmenting the network. Ping of death and > variants come to mind. > > A mobile host that is allowed to send secure traffic may inadvertently visit > an insecure network. In that case, using the option provides for easy > identification of the host as a potential target. Mobile hosts were not > common in 1988, and this threat was not envisaged in the RFC. > > This was then. By now, IP options are very rarely used. The RFC should > probably be reclassified as historic. > Or worse... > _______________________________________________ > ietf-privacy mailing list > ietf-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/ietf-privacy
_______________________________________________ ietf-privacy mailing list ietf-privacy@ietf.org https://www.ietf.org/mailman/listinfo/ietf-privacy
