Last Call Review of draft-ietf-tcpm-rfc8312bis-14
review-ietf-tcpm-rfc8312bis-14-secdir-lc-nir-2022-12-25-00
| Request | Review of | draft-ietf-tcpm-rfc8312bis |
|---|---|---|
| Requested revision | No specific revision (document currently at 15) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2022-12-19 | |
| Requested | 2022-12-05 | |
| Authors | Lisong Xu , Sangtae Ha , Injong Rhee , Vidhi Goel , Lars Eggert | |
| I-D last updated | 2022-12-25 | |
| Completed reviews |
Opsdir Last Call review of -14
by Bo Wu
(diff)
Genart Last Call review of -14 by Ines Robles (diff) Artart Last Call review of -14 by Spencer Dawkins (diff) Secdir Last Call review of -14 by Yoav Nir (diff) |
|
| Assignment | Reviewer | Yoav Nir |
| State | Completed | |
| Request | Last Call review on draft-ietf-tcpm-rfc8312bis by Security Area Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/secdir/Ivgv89arFVghBPrzrvc4jBe0JWk | |
| Reviewed revision | 14 (document currently at 15) | |
| Result | Has nits | |
| Completed | 2022-12-25 |
review-ietf-tcpm-rfc8312bis-14-secdir-lc-nir-2022-12-25-00
This document is a renewal of RFC 8312 in order to progress in the standards track. The document fixes some language and revises the authors, but significantly describes the standard as something that has already been adopted and implemented in multiple popular operating systems. The security considerations section is very brief, and reads as follows: CUBIC makes no changes to the underlying security of TCP. More information about TCP security concerns can be found in [RFC5681]. This is a claim, which I believe to be true, but it also should be substantiated. Specifically changing the window computation on the sender may allow an attacker, through dropping or injecting ACKs (a practice described in RFC 5681), to either force the CUBIC implementation to reduce its bandwidth, or to convince it that there is no congestion when congestion does exist, and use the CUBIC implementation as an attack vector against other hosts. Of course, these attacks are only interesting if they give the attacker some significant power not afforded by plain old TCP. So why is this a nit? Because I believe this is the case, and all I'm missing is a statement that it is so.