You said that your system solves a problem of DoS'ing TCP-based VPN connections. This is a very promising claim and I am sure people other than myself would be interested to know if the claim is substantial.
Just to clarify - the problem I am referring to is an event of (malicious) 3rd party unsolicitedly terminating P2P TCP session with forged FIN or RST packet. Since RFC-compliant TCP packets do not carry any authentication information (except for BGP/MD5 extension), it is not possible to detect such forgery, which in turn means that the VPN link is trivial to take down. Thanks, Alex > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Capone > Sent: Friday, December 15, 2006 1:57 PM > To: 'theory and practice of decentralized computer networks' > Subject: RE: [p2p-hackers] A new approach to NAT/Firewall traversal > > Yes, it is compliant. If you want to take this offline > please send email to > [EMAIL PROTECTED] > > Thanks, > Jeff > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Alex Pankratov > Sent: Friday, December 15, 2006 2:55 PM > To: 'theory and practice of decentralized computer networks' > Subject: RE: [p2p-hackers] A new approach to NAT/Firewall traversal > > Hmm .. so this is not a standard-compliant TCP then ? > > Alex > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > Jeff Capone > > Sent: Friday, December 15, 2006 1:47 PM > > To: 'theory and practice of decentralized computer networks' > > Subject: RE: [p2p-hackers] A new approach to NAT/Firewall traversal > > > > Hi Alex, > > > > We have solved these problems too. > > > > 1. We implement our own TCP stack so we do not have the decreased > > performance due to the double-acking problem - I can > elaborate on that > > more if you like? If you try it out, you will only see > there is only > > about a 6% reduction in throughput due to the increased > packet size (1 > > extra TCP header). > > > > 2. Since we implement our own TCP stack, these attacks should not > > affect us. We know exactly what we are excepting to receive and > > firewall the rest. > > > > Hope that helps, > > Jeff > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Alex > > Pankratov > > Sent: Friday, December 15, 2006 2:30 PM > > To: 'theory and practice of decentralized computer networks' > > Subject: RE: [p2p-hackers] A new approach to NAT/Firewall traversal > > > > Jeff, > > > > Building VPN connections over TCP has two known problems - > > > > * TCP over TCP leading to the problem with retransmissions > > and resulting in a decreased performance. This is the one > > you mention below. > > > > * the lack of protection against trivial DoS attacks. TCP > > based VPN can be brought down by an active attacker with > > exactly one packet. That's unless peers authenticate all > > TCP packets similar to how BGP does with MD5 checksums. > > > > Second point is why IMO TCP-based tunneling must be the absolutely > > last fall-back option as far as a choice for the transport medium > > goes. > > > > Additionally, regarding TCP NAT traversal. In my experience > a simple > > symmetrical TCP open works very well for connecting two > NATed peers as > > long as the port prediction is accurate. > > I am very curious to know why you opted for carrying > initial P2P TCP > > signaling OOB. > > > > Thanks, > > Alex > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Jeff Capone > > > Sent: Friday, December 15, 2006 12:15 PM > > > To: [email protected] > > > Subject: [p2p-hackers] A new approach to NAT/Firewall traversal > > > > > > Hi, > > > > > > If anyone is interested, we have developed an alternative > > approach to > > > firewall/NAT traversal using TCP. > > > > > > If you are interested in how it works, let me know. If you are > > > interested in trying it out you can download it from > > > http://www.leafnetworks.net > > > > > > Here is a brief overview of what we do... > > > > > > The Leaf 2006 client software uses "Out-of-Band TCP > > Signaling" to form > > > a TCP connection between two computers running the Leaf > 2006 client > > > software. This out-of-band signaling is achieved by > > creating a control > > > channel that is setup using the Leaf Peer Server and used > to broker > > > all the TCP signaling traffic. Once the TCP connection is > > formed, the > > > control channel is torn down and there is a direct TCP connection > > > between each computer. > > > > > > Once this socket connection is formed, it is used to create > > a virtual > > > private network (VPN) interface that you see as the Leaf Network > > > Adapter on your computer. Most VPN solutions that tunnel > > traffic over > > > a TCP socket connection suffer from performance > degradation - up to > > > 40% loss in bandwidth. However, we have solved this > problem and you > > > will achieve full bandwidth connectivity between two computers > > > connected in a Leaf Network. > > > Once the private network is formed, we protect it with a built in > > > firewall for the Leaf Network Adapter. > > > > > > > > > _______________________________________________ > > > p2p-hackers mailing list > > > [email protected] > > > http://lists.zooko.com/mailman/listinfo/p2p-hackers > > > > _______________________________________________ > > p2p-hackers mailing list > > [email protected] > > http://lists.zooko.com/mailman/listinfo/p2p-hackers > > > > > > _______________________________________________ > > p2p-hackers mailing list > > [email protected] > > http://lists.zooko.com/mailman/listinfo/p2p-hackers > > _______________________________________________ > p2p-hackers mailing list > [email protected] > http://lists.zooko.com/mailman/listinfo/p2p-hackers > > > _______________________________________________ > p2p-hackers mailing list > [email protected] > http://lists.zooko.com/mailman/listinfo/p2p-hackers _______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
