* Matthew Toseland <[EMAIL PROTECTED]> [2008-03-10 17:09:33]: > On Monday 10 March 2008 14:20, NextGen$ wrote: > > * Matthew Toseland <[EMAIL PROTECTED]> [2008-03-10 13:57:28]: > > > > > On Saturday 08 March 2008 14:30, Michael Rogers wrote: > > > > Evan Daniel wrote: > > > > > At least for the near term future, and probably longer, we need an > > > > > answer other than TCP because of ugliness like Comcast's Sandvine > > > > > hardware. Forged TCP reset packets are non-trivial to deal with, but > > > > > the equivalent problem doesn't even exist for UDP. > > > > > > > > True, UDP is more robust than TCP against this particular attack, but > > > > that just means the next logical step in the P2P vs ISP arms race is > > > > for > > > > all the P2P apps to move to UDP, and then the ISPs will just start > > > > throttling UDP instead of forging RSTs. Ultimately if your ISP doesn't > > > > want to carry your traffic, they won't carry it. > > > > > > Sure. But it will cost them. RSTs are trivial. The Golden Shield uses > > > RSTs > for > > > example, rather than remembering which streams it wants to kill. Because > > > statefully killing streams would cost many times more. > > > > Send any "hard" ICMP error and you're done killing it ;) > > Hmmm?
chosen extracts of rfc1122:
A host SHOULD generate Destination Unreachable messages with
code:
2 (Protocol Unreachable), when the designated transport
protocol is not supported; or
3 (Port Unreachable), when the designated transport
protocol (e.g., UDP) is unable to demultiplex the
datagram but has no protocol mechanism to inform the
sender.
A Destination Unreachable message that is received MUST be
reported to the transport layer. The transport layer SHOULD
use the information appropriately; for example, see Sections
4.1.3.3, 4.2.3.9, and 4.2.4 below. A transport protocol
that has its own mechanism for notifying the sender that a
port is unreachable (e.g., TCP, which sends RST segments)
MUST nevertheless accept an ICMP Port Unreachable for the
same purpose.
...
4.1.3.3 ICMP Messages
UDP MUST pass to the application layer all ICMP error
messages that it receives from the IP layer. Conceptually
at least, this may be accomplished with an upcall to the
ERROR_REPORT routine (see Section 4.2.4.1).
...
Some people have been playing with icmp-hard-errors on TCP
(http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html);
I haven't found any literature regarding UDP but I'm almost sure
that you can do similar things with it.
> >
> > > Throttling UDP
> > > likewise would cause other problems: it would slow down skype
> dramatically,
> > > alienating a lot of users, so they'd need to put more hardware in to
> detect
> > > skype...
> >
> > Skype can work over TCP if UDP is blocked.
>
> What if it's not blocked but slow?
If rtt is better over TCP they will use TCP I guess.
signature.asc
Description: Digital signature
_______________________________________________ Devl mailing list [email protected] http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
