Security Threats and Security Requirements for the Access Node Control Protocol (ANCP)
RFC 5713
Yes
(Ralph Droms)
No Objection
Lars Eggert
(Adrian Farrel)
(Cullen Jennings)
(Dan Romascanu)
(Robert Sparks)
(Ron Bonica)
(Tim Polk)
Note: This ballot was opened for revision 08 and is now closed.
Lars Eggert
No Objection
Ralph Droms Former IESG member
Yes
Yes
()
Unknown
Adrian Farrel Former IESG member
No Objection
No Objection
()
Unknown
Cullen Jennings Former IESG member
No Objection
No Objection
()
Unknown
Dan Romascanu Former IESG member
(was Discuss)
No Objection
No Objection
()
Unknown
Robert Sparks Former IESG member
No Objection
No Objection
()
Unknown
Ron Bonica Former IESG member
No Objection
No Objection
()
Unknown
Tim Polk Former IESG member
No Objection
No Objection
(2009-07-02)
Unknown
In section 3, first paragraph after the list of components:
The threat model and the security requirments in this draft consider this
later case.
s/later/latter/
In section 4, the document identifies three classes of attacks, but bullet three seems to identify two overlapping classes:
o attacks to gain profit for the attacker (e.g., by modifying the
QoS settings). Also, through replaying old packets, of another
privileged client for instance, an attacker can attempt to
configure a better QoS profile on its own DSL line increasing its
own benefit.
This is fine if there are no attacks that gain profit which do not involve modifying the
QoS settings. Are the authors confident that there are 3 rather than 4 classes?