[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TCPIMPL: Minutes from LA Meeting

To: mcr@sandelman.ottawa.on.ca (Michael Richardson)
Subject: Re: TCPIMPL: Minutes from LA Meeting
From: alan@lxorguk.ukuu.org.uk (Alan Cox)
Date: Mon, 27 Apr 1998 11:18:43 +0100 (BST)
Cc: tcp-impl@cthulhu.engr.sgi.com, ipsec@tis.com
In-Reply-To: <199804190618.CAA01601@morden.sandelman.ottawa.on.ca> from "Michael Richardson" at Apr 19, 98 02:18:51 am
Sender: owner-ipsec@ex.tis.com

>   I will make a couple of comments about this.
>   I do not wish to refute Ran's claim --- it is entirely correct. The
> question is what is the impact of it? 

It knocks the link speed right down. I disagree with Ran btw, if you
are lucky enough to be the man in the middle or on the same host as
one end you hardly need any packets to cripple a link. Its only useful
against long streaming connections but it'll take someones newsfeed
down to crawl level

>   Except for ICMP packets. "port unreachable" would originate from the
> destination host, which could conceivably transit with IPsec
> protection, but all other useful ICMP packets relevant to TCP originate
> from intermediate hosts/routers: 

Some firewalls send port unreachable messages because the newer administrative
messages are not understood by enough people

> are not routed as efficiently as they might. Are there other
> repercussions of ignoring them?

The packet may not arrive at all is the other repercussion. IMHO its unlikely
and its preferable to attack exposure.

Alan

References:

Re: TCPIMPL: Minutes from LA Meeting

From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: IPSEC meeting minutes
Next by Date: AggressiveMode issue
Prev by thread: ICMP and TCP
Next by thread: IPSEC Last Call: SA definition
Index(es):
- Main
- Thread