RFC 3552 - Guidelines for Writing RFC Text on Security Considerations

Network Working Group
E. Rescorla, RTFM, Inc.
B. Korver, Xythos Software
Internet Architecture Board (IAB)
Request for Comments: 3552
BCP: 72
Category: Best Current Practice
Date: July 2003

Status of this Memo

This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2003). All Rights Reserved.

Abstract

All RFCs are required to have a Security Considerations section. Historically, such sections have been relatively weak. This document provides guidelines to RFC authors on how to write a good Security Considerations section.

Contents

• 1. Introduction
  • 1.1. Requirements
• 2. The Goals of Security
  • 2.1. Communication Security
  • 2.2. Non-Repudiation
  • 2.3. Systems Security
• 3. The Internet Threat Model
  • 3.1. Limited Threat Models
  • 3.2. Passive Attacks
  • 3.3. Active Attacks
  • 3.4. Topological Issues
  • 3.5. On-path versus off-path
  • 3.6. Link-local
• 4. Common Issues
  • 4.1. User Authentication
  • 4.2. Generic Security Frameworks
  • 4.3. Non-repudiation
  • 4.4. Authorization vs. Authentication
  • 4.5. Providing Traffic Security
  • 4.6. Denial of Service Attacks and Countermeasures
  • 4.7. Object vs. Channel Security
  • 4.8. Firewalls and Network Topology
• 5. Writing Security Considerations Sections
• 6. Examples
  • 6.1. SMTP
  • 6.2. VRRP
• 7. Acknowledgments
• 8. Normative References
• 9. Informative References
• 10. Security Considerations
• Appendix A
• Authors' Addresses