[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard

To: ipsec@tis.com, tcp-over-satellite@achtung.sp.trw.com
Subject: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Tue, 31 Mar 1998 17:16:16 -0500
CC: "Steven M. Bellovin" <smb@research.att.com>
In-reply-to: Your message of "Mon, 30 Mar 1998 23:15:11 PST." <199803310715.CAA15246@smb.research.att.com>
Sender: owner-ipsec@ex.tis.com


>>>>> "Steven" == Steven M Bellovin <smb@research.att.com> writes:
    Steven> You're right -- IPsec will not permit window-size
    Steven> spoofing.  To understand why, imagine that an enemy were

  Are there not TCP options that allow the window size to be
expanded? I realize that those options are not widely deployed. I will
postulate this:
  - real systems without the expanded window size options probably
	don't have IPsec either. 
  - VPN gateways already have a machine at each end that could
	do the window-size spoofing, and in the case of per-host
	keying, already have almost all the state as well. Seems like
	a neat value add to me.

]     Network Security Consulting and Contract Programming      |  SSH IPsec  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |international[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |strong crypto[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

References:

Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard

From: "Steven M. Bellovin" <smb@research.att.com>

Prev by Date: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Prev by thread: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Next by thread: Last call and the DOI
Index(es):
- Main
- Thread