[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
>>>>> "Steven" == Steven M Bellovin <smb@research.att.com> writes:
Steven> You're right -- IPsec will not permit window-size
Steven> spoofing. To understand why, imagine that an enemy were
Are there not TCP options that allow the window size to be
expanded? I realize that those options are not widely deployed. I will
postulate this:
- real systems without the expanded window size options probably
don't have IPsec either.
- VPN gateways already have a machine at each end that could
do the window-size spoofing, and in the case of per-host
keying, already have almost all the state as well. Seems like
a neat value add to me.
] Network Security Consulting and Contract Programming | SSH IPsec [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |international[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |strong crypto[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
References: