On 24/02/2021 21:28, tincanteksup wrote:
On 24/02/2021 20:05, Marc SCHAEFER wrote:
On Wed, Feb 24, 2021 at 07:27:09PM +0000, tincanteksup wrote:
I wonder if IPv6 has any new features which can customise the initial
Syn
packet in any way ?
Not to my knowledge. Why would you want to do that?
Just a passing thought .. I think I just sort of re-invented syn-cookies
without realising it ;-)
I was thinking that IPv6 might have something like that actually defined
by RFC and built in to a syn packet. I mean, why not ?
In fact, this idea seems to TCP Fast Open
(https://tools.ietf.org/html/rfc7413)
Similar to but not the same as TFO.
In my idea, the initial client SYN would have an encrypted cookie if it
came from OpenVPN client. The server could simply drop all SYN *with
Zero ACK* which does not have this encrypted cookie, to be verified by
OpenVPN not IP stack. So data passed directly to the application for
review and no response from IP until the application allows it.
But after reading the RFC I realise this is way outside the scope of TFO
as it is currently being designed.
Perhaps Openvpn can suggest this to the IETF ;-)
Another knot to unwrangle ..
R
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
