PWG-ANNOUNCE> Recent Security-related RFCs

PWG-ANNOUNCE> Recent Security-related RFCs

McDonald, Ira imcdonald at sharplabs.com
Sun Apr 8 20:45:03 EDT 2007


Hi,

RFC 4732 (November 2006)
"Internet Denial-of-Service Considerations"
   This document provides an overview of possible avenues for denial-
   of-service (DoS) attack on Internet systems.  The aim is to encourage
   protocol designers and network engineers towards designs that are
   more robust.  We discuss partial solutions that reduce the
   effectiveness of attacks, and how some solutions might inadvertently
   open up alternative vulnerabilities.

**** Highly relevant to P2600 - an excellent tutorial on the range
     and types of DoS attacks, including end systems (e.g., printers)


RFC 4772 (December 2006)
"Security Implications of Using the Data Encryption Standard (DES)"
   The Data Encryption Standard (DES) is susceptible to brute-force
   attacks, which are well within the reach of a modestly financed
   adversary.  As a result, DES has been deprecated, and replaced by the
   Advanced Encryption Standard (AES).  Nonetheless, many applications
   continue to rely on DES for security, and designers and implementers
   continue to support it in new applications.  While this is not always
   inappropriate, it frequently is.  This note discusses DES security
   implications in detail, so that designers and implementers have all
   the information they need to make judicious decisions regarding its
   use.

**** Highly relevant to P2600 and IPP - DES is no longer approved for
     unclassified uses after May 19,2007 by the US government - DES
     was never approved for classified uses by the US government


RFC 4775 (December 2006)
"Procedures for Protocol Extensions and Variations"
   This document discusses procedural issues related to the
   extensibility of IETF protocols, including when it is reasonable to
   extend IETF protocols with little or no review, and when extensions
   or variations need to be reviewed by the IETF community.  Experience
   has shown that extension of protocols without early IETF review can
   carry risk.  The document also recommends that major extensions to or
   variations of IETF protocols only take place through normal IETF
   processes or in coordination with the IETF.

   This document is directed principally at other Standards Development
   Organizations (SDOs) and vendors considering requirements for
   extensions to IETF protocols.  It does not modify formal IETF
   processes.

**** Highly relevant to PWG with respect to IPP extensions


RFC 4778 (January 2007)
"Current Operational Security Practices in Internet Service Provider 
Environments"
   This document is a survey of the current practices used in today's
   large ISP operational networks to secure layer 2 and layer 3
   infrastructure devices.  The information listed here is the result of
   information gathered from people directly responsible for defining
   and implementing secure infrastructures in Internet Service Provider
   environments.

**** Fascinating - EVERY surveyed ISP disables HTTP out-of-band
     management


Cheers,
- Ira

Ira McDonald (Musician / Software Architect)
Chair - Linux Foundation Open Printing WG
Blue Roof Music / High North Inc
PO Box 221  Grand Marais, MI  49839
phone: +1-906-494-2434
email: imcdonald at sharplabs.com

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.26/751 - Release Date: 4/7/2007 10:57 PM
 




More information about the Pwg-announce mailing list