Security Attacks Found Against the Stream Control Transmission Protocol (SCTP) and Current Countermeasures
RFC 5062

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: Internet Architecture Board <iab@iab.org>,
    RFC Editor <rfc-editor@rfc-editor.org>
Subject: Document Action: 'Security Attacks Found Against SCTP 
         and Current Countermeasures' to Informational RFC 

The IESG has approved the following document:

- 'Security Attacks Found Against SCTP and Current Countermeasures '
   <draft-ietf-tsvwg-sctpthreat-06.txt> as an Informational RFC

This document is the product of the Transport Area Working Group. 

The IESG contact persons are Lars Eggert and Magnus Westerlund.

A URL of this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-sctpthreat-06.txt

Technical Summary
 
   The Stream Control Transmission Protocol defined in RFC 2960
   is a multi-homed transport protocol. As such, unique
   security threats exists that are addressed in various ways
   within the protocol itself. This document attempts to detail
   the known security threats and their countermeasures as
   detailed in the current version of the SCTP Implementers
   guide RFC 4460.
 
Working Group Summary
 
   There is strong consensus in the WG to publish this
   document. It has been reviewed by several people in the WG
   last call. Comments raised has been addressed.
 
Protocol Quality
 
   This is not a protocol document, therefore there are no
   implementations of what this document offers.
   
Personnel
   
   James Polk (jmpolk@cisco.com) is the document Shepherd. Lars
   Eggert (lars.eggert@nokia.com) is the responsible Area
   Director.

Note to RFC Editor
 
   Note: This document assumes that draft-ietf-tsvwg-2960bis
   will be assigned the RFC number 4960 that has been reserved
   for it. If that for some reason won't happen, parts of the text
   need to be adjusted.

Section 1., paragraph 1:
OLD:
    using techniques from the SCTP Specification Errata and Issues memo
    ([RFC4460]).  These techniques are included in
    ^^^^^^^^^^^
NEW:
    using techniques from the SCTP Specification Errata and Issues memo
    [RFC4460].  These techniques are included in
    ^^^^^^^^^


Section 1., paragraph 2:
OLD:
    This work and some of the changes that went into the [RFC4460] and
                                                     ^^^
    [I-D.ietf-tsvwg-2960bis] are much indebted to the paper on potential
    SCTP security risks Effects [effects] by Aura, Nikander and
                        ^^^^^^^^^^^^^^^^^
NEW:

    This work and some of the changes that went into [RFC4460] and
                                                    ^
    [I-D.ietf-tsvwg-2960bis] are much indebted to the paper on potential
    SCTP security risks [EFFECTS] by Aura, Nikander and
                        ^^^^^^^^^


Section 1., paragraph 3:
OLD:
    that were illustrated in Effects [effects] and detail what
                             ^^^^^^^^^^^^^^^^^
NEW:
    that were illustrated in [EFFECTS] and detail what
                             ^^^^^^^^^


Section 2.2., paragraph 1:
OLD:
    were made in the BSD implementation that are now present in the
                                                                ^^^
    [I-D.ietf-tsvwg-2960bis].  In close examination, this attack depends

NEW:
    were made in the BSD implementation that are now present in
                                                                ^
    [I-D.ietf-tsvwg-2960bis].  In close examination, this attack depends


Section 3., paragraph 1:
OLD:
    However with the addition of the [I-D.ietf-tsvwg-addip-sctp]
    extension to SCTP an endpoint that is NOT a man-in-the-middle may be
    able to assume another endpoints association.

NEW:
    However, with the addition of the SCTP extension specified in
    [I-D.ietf-tsvwg-addip-sctp], an endpoint that is NOT a
    man-in-the-middle may be able to assume another endpoints association.



Section 3.2., paragraph 2:
OLD:
    1) Both endpoints must support the [I-D.ietf-tsvwg-addip-sctp]
       extension.

NEW:
    1) Both endpoints must support the SCTP extension specified in
       [I-D.ietf-tsvwg-addip-sctp].


Section 3.2., paragraph 3:
OLD:
    2) One of the endpoints must be using the [I-D.ietf-tsvwg-addip-sctp]
       extension for mobility.

NEW:
    2) One of the endpoints must be using the SCTP extension for mobility
       specified in [I-D.ietf-tsvwg-addip-sctp].


Section 3.3., paragraph 1:
OLD:
    this attack.  Furthermore the use of the [I-D.ietf-tsvwg-addip-sctp]
    extensions requires the use of the authentication mechanism defined
    in [I-D.ietf-tsvwg-sctp-auth].

NEW:
    this attack.  Furthermore, use of the SCTP extension specified in
    [I-D.ietf-tsvwg-addip-sctp] requires the use of the authentication
    mechanism defined in [I-D.ietf-tsvwg-sctp-auth].


Section 13.2., paragraph 1:
OLD:
    [effects]  Aura, T., Nikander, P., and G. Camarillo, "Effects of
    ^^^^^^^^^
NEW:
    [EFFECTS]  Aura, T., Nikander, P., and G. Camarillo, "Effects of
    ^^^^^^^^^