| rfc9416v3.txt | rfc9416.txt | |||
|---|---|---|---|---|
| skipping to change at line 316 ¶ | skipping to change at line 316 ¶ | |||
| A vulnerability assessment of the aforementioned transient numeric | A vulnerability assessment of the aforementioned transient numeric | |||
| identifiers MUST be performed as part of the specification process. | identifiers MUST be performed as part of the specification process. | |||
| Such vulnerability assessment should cover, at least, spoofing, | Such vulnerability assessment should cover, at least, spoofing, | |||
| tampering, repudiation, information disclosure, DoS, and elevation of | tampering, repudiation, information disclosure, DoS, and elevation of | |||
| privilege. | privilege. | |||
| | NOTE: Sections 8 and 9 of [RFC9415] provide a general | | NOTE: Sections 8 and 9 of [RFC9415] provide a general | |||
| | vulnerability assessment of transient numeric identifiers, | | vulnerability assessment of transient numeric identifiers, | |||
| | along with a vulnerability assessment of common algorithms for | | along with a vulnerability assessment of common algorithms for | |||
| | generating transient numeric identifiers. Please see | | generating transient numeric identifiers. Please see | |||
| | [Shostack2014] for further guidance on threat modelling. | | [Shostack2014] for further guidance on threat modeling. | |||
| Protocol specifications SHOULD NOT employ predictable transient | Protocol specifications SHOULD NOT employ predictable transient | |||
| numeric identifiers, except when such predictability is the result of | numeric identifiers, except when such predictability is the result of | |||
| their interoperability requirements. | their interoperability requirements. | |||
| Protocol specifications that employ transient numeric identifiers | Protocol specifications that employ transient numeric identifiers | |||
| SHOULD recommend an algorithm for generating the aforementioned | SHOULD recommend an algorithm for generating the aforementioned | |||
| transient numeric identifiers that mitigates the vulnerabilities | transient numeric identifiers that mitigates the vulnerabilities | |||
| identified in the previous step, such as those discussed in | identified in the previous step, such as those discussed in | |||
| [RFC9415]. | [RFC9415]. | |||
| skipping to change at line 474 ¶ | skipping to change at line 474 ¶ | |||
| [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | |||
| (IPv6) Specification", STD 86, RFC 8200, | (IPv6) Specification", STD 86, RFC 8200, | |||
| DOI 10.17487/RFC8200, July 2017, | DOI 10.17487/RFC8200, July 2017, | |||
| <https://www.rfc-editor.org/info/rfc8200>. | <https://www.rfc-editor.org/info/rfc8200>. | |||
| [RFC9293] Eddy, W., Ed., "Transmission Control Protocol (TCP)", | [RFC9293] Eddy, W., Ed., "Transmission Control Protocol (TCP)", | |||
| STD 7, RFC 9293, DOI 10.17487/RFC9293, August 2022, | STD 7, RFC 9293, DOI 10.17487/RFC9293, August 2022, | |||
| <https://www.rfc-editor.org/info/rfc9293>. | <https://www.rfc-editor.org/info/rfc9293>. | |||
| [RFC9414] Gont, F. and I. Arce, "Unfortunate History of Transient | [RFC9414] Gont, F. and I. Arce, "Unfortunate History of Transient | |||
| Numeric Identifiers", RFC 9414, DOI 10.17487/RFC9414, June | Numeric Identifiers", RFC 9414, DOI 10.17487/RFC9414, July | |||
| 2023, <https://www.rfc-editor.org/info/rfc9414>. | 2023, <https://www.rfc-editor.org/info/rfc9414>. | |||
| [RFC9415] Gont, F. and I. Arce, "On the Generation of Transient | [RFC9415] Gont, F. and I. Arce, "On the Generation of Transient | |||
| Numeric Identifiers", RFC 9415, DOI 10.17487/RFC9415, June | Numeric Identifiers", RFC 9415, DOI 10.17487/RFC9415, July | |||
| 2023, <https://www.rfc-editor.org/info/rfc941v>. | 2023, <https://www.rfc-editor.org/info/rfc941v>. | |||
| [Sanfilippo1998a] | [Sanfilippo1998a] | |||
| Sanfilippo, S., "about the ip header id", message to the | Sanfilippo, S., "about the ip header id", message to the | |||
| Bugtraq mailing list, 14 December 1998, | Bugtraq mailing list, December 1998, | |||
| <https://seclists.org/bugtraq/1998/Dec/48>. | <https://seclists.org/bugtraq/1998/Dec/48>. | |||
| [Schuba1993] | [Schuba1993] | |||
| Schuba, C., "Addressing Weakness in the Domain Name System | Schuba, C., "Addressing Weakness in the Domain Name System | |||
| Protocol", August 1993, | Protocol", August 1993, | |||
| <http://ftp.cerias.purdue.edu/pub/papers/christoph-schuba/ | <http://ftp.cerias.purdue.edu/pub/papers/christoph-schuba/ | |||
| schuba-DNS-msthesis.pdf>. | schuba-DNS-msthesis.pdf>. | |||
| [Shostack2014] | [Shostack2014] | |||
| Shostack, A., "Threat Modeling: Designing for Security", | Shostack, A., "Threat Modeling: Designing for Security", | |||
| End of changes. 4 change blocks. | ||||
| 4 lines changed or deleted | 4 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||