On Saturday 08 March 2008 14:30, Michael Rogers wrote: > Evan Daniel wrote: > > At least for the near term future, and probably longer, we need an > > answer other than TCP because of ugliness like Comcast's Sandvine > > hardware. Forged TCP reset packets are non-trivial to deal with, but > > the equivalent problem doesn't even exist for UDP. > > True, UDP is more robust than TCP against this particular attack, but > that just means the next logical step in the P2P vs ISP arms race is for > all the P2P apps to move to UDP, and then the ISPs will just start > throttling UDP instead of forging RSTs. Ultimately if your ISP doesn't > want to carry your traffic, they won't carry it.
Sure. But it will cost them. RSTs are trivial. The Golden Shield uses RSTs for example, rather than remembering which streams it wants to kill. Because statefully killing streams would cost many times more. Throttling UDP likewise would cause other problems: it would slow down skype dramatically, alienating a lot of users, so they'd need to put more hardware in to detect skype... > > > Also, most consumer-level NATs are probably old devices that won't be > > upgraded any time soon. Remember, we want to handle an average user's > > NAT well, even if they can't / won't change the settings when Freenet > > asks them to. > > Legacy NATs are definitely a problem, but I'm not sure they're a bigger > problem for TCP than UDP - AFAIK most legacy NATs that allow UDP > hole-punching also allow TCP hole-punching (I could be wrong about this, > but I thought the STUNT developers got NAT traversal success rates that > were comparable to UDP). Classic STUNT is far more complex than UDP traversal, requires listening on raw sockets (i.e. needs root), and requires using a globally reachable STUNT server, which is required to send a spoofed SYNACK to each side! A competent ISP (admittedly there aren't many!) will implement spoofing protection, so this is again a source of unreliability. It also requires setting the TTL, which we can't do in java, although admittedly we can't set the dont fragment bit either in java. Whereas with UDP if both ends know the other's IP:port they can connect without problems; STUN is only used for IP detection. > > Cheers, > Michael
pgpPA2XjoBcPw.pgp
Description: PGP signature
_______________________________________________ Devl mailing list [email protected] http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
