Security Threats and Security Requirements for the Access Node Control Protocol (ANCP)
RFC 5713
Yes
No Objection
Note: This ballot was opened for revision 08 and is now closed.
Lars Eggert No Objection
(Ralph Droms; former steering group member) Yes
(Adrian Farrel; former steering group member) No Objection
(Cullen Jennings; former steering group member) No Objection
(Dan Romascanu; former steering group member) (was Discuss) No Objection
(Robert Sparks; former steering group member) No Objection
(Ron Bonica; former steering group member) No Objection
(Tim Polk; former steering group member) No Objection
In section 3, first paragraph after the list of components:
The threat model and the security requirments in this draft consider this
later case.
s/later/latter/
In section 4, the document identifies three classes of attacks, but bullet three seems to identify two overlapping classes:
o attacks to gain profit for the attacker (e.g., by modifying the
QoS settings). Also, through replaying old packets, of another
privileged client for instance, an attacker can attempt to
configure a better QoS profile on its own DSL line increasing its
own benefit.
This is fine if there are no attacks that gain profit which do not involve modifying the
QoS settings. Are the authors confident that there are 3 rather than 4 classes?