Yes, that is correct. And that is why TCP-based tunneling is inferior to IP/ESP/UDP/ICMP tunneling. Because it is fragile.
So my original comment was that why did you decide to go with TCP as a choice of a transport layer ? Alex > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Capone > Sent: Friday, December 15, 2006 2:22 PM > To: 'theory and practice of decentralized computer networks' > Subject: RE: [p2p-hackers] A new approach to NAT/Firewall traversal > > Alex, > > Correct me if I am wrong, but if someone sends a malious FIN > (that looks > authentic) to *any* TCP connection it will tear it down. > > Thanks, > Jeff > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Alex Pankratov > Sent: Friday, December 15, 2006 3:12 PM > To: 'theory and practice of decentralized computer networks' > Subject: RE: [p2p-hackers] A new approach to NAT/Firewall traversal > > You said that your system solves a problem of DoS'ing TCP-based VPN > connections. This is a very promising claim and I am sure > people other than > myself would be interested to know if the claim is substantial. > > Just to clarify - the problem I am referring to is an event of > (malicious) 3rd party unsolicitedly terminating P2P TCP > session with forged > FIN or RST packet. Since RFC-compliant TCP packets do not carry any > authentication information (except for BGP/MD5 extension), it is not > possible to detect such forgery, which in turn means that the > VPN link is > trivial to take down. > > Thanks, > Alex > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > Jeff Capone > > Sent: Friday, December 15, 2006 1:57 PM > > To: 'theory and practice of decentralized computer networks' > > Subject: RE: [p2p-hackers] A new approach to NAT/Firewall traversal > > > > Yes, it is compliant. If you want to take this offline please send > > email to [EMAIL PROTECTED] > > > > Thanks, > > Jeff > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Alex > > Pankratov > > Sent: Friday, December 15, 2006 2:55 PM > > To: 'theory and practice of decentralized computer networks' > > Subject: RE: [p2p-hackers] A new approach to NAT/Firewall traversal > > > > Hmm .. so this is not a standard-compliant TCP then ? > > > > Alex > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Jeff Capone > > > Sent: Friday, December 15, 2006 1:47 PM > > > To: 'theory and practice of decentralized computer networks' > > > Subject: RE: [p2p-hackers] A new approach to NAT/Firewall > traversal > > > > > > Hi Alex, > > > > > > We have solved these problems too. > > > > > > 1. We implement our own TCP stack so we do not have the > decreased > > > performance due to the double-acking problem - I can > > elaborate on that > > > more if you like? If you try it out, you will only see > > there is only > > > about a 6% reduction in throughput due to the increased > > packet size (1 > > > extra TCP header). > > > > > > 2. Since we implement our own TCP stack, these attacks > should not > > > affect us. We know exactly what we are excepting to receive and > > > firewall the rest. > > > > > > Hope that helps, > > > Jeff > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Alex > > > Pankratov > > > Sent: Friday, December 15, 2006 2:30 PM > > > To: 'theory and practice of decentralized computer networks' > > > Subject: RE: [p2p-hackers] A new approach to NAT/Firewall > traversal > > > > > > Jeff, > > > > > > Building VPN connections over TCP has two known problems - > > > > > > * TCP over TCP leading to the problem with retransmissions > > > and resulting in a decreased performance. This is the one > > > you mention below. > > > > > > * the lack of protection against trivial DoS attacks. TCP > > > based VPN can be brought down by an active attacker with > > > exactly one packet. That's unless peers authenticate all > > > TCP packets similar to how BGP does with MD5 checksums. > > > > > > Second point is why IMO TCP-based tunneling must be the > absolutely > > > last fall-back option as far as a choice for the transport medium > > > goes. > > > > > > Additionally, regarding TCP NAT traversal. In my experience > > a simple > > > symmetrical TCP open works very well for connecting two > > NATed peers as > > > long as the port prediction is accurate. > > > I am very curious to know why you opted for carrying > > initial P2P TCP > > > signaling OOB. > > > > > > Thanks, > > > Alex > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > > Jeff Capone > > > > Sent: Friday, December 15, 2006 12:15 PM > > > > To: [email protected] > > > > Subject: [p2p-hackers] A new approach to NAT/Firewall traversal > > > > > > > > Hi, > > > > > > > > If anyone is interested, we have developed an alternative > > > approach to > > > > firewall/NAT traversal using TCP. > > > > > > > > If you are interested in how it works, let me know. If you are > > > > interested in trying it out you can download it from > > > > http://www.leafnetworks.net > > > > > > > > Here is a brief overview of what we do... > > > > > > > > The Leaf 2006 client software uses "Out-of-Band TCP > > > Signaling" to form > > > > a TCP connection between two computers running the Leaf > > 2006 client > > > > software. This out-of-band signaling is achieved by > > > creating a control > > > > channel that is setup using the Leaf Peer Server and used > > to broker > > > > all the TCP signaling traffic. Once the TCP connection is > > > formed, the > > > > control channel is torn down and there is a direct TCP > connection > > > > between each computer. > > > > > > > > Once this socket connection is formed, it is used to create > > > a virtual > > > > private network (VPN) interface that you see as the > Leaf Network > > > > Adapter on your computer. Most VPN solutions that tunnel > > > traffic over > > > > a TCP socket connection suffer from performance > > degradation - up to > > > > 40% loss in bandwidth. However, we have solved this > > problem and you > > > > will achieve full bandwidth connectivity between two computers > > > > connected in a Leaf Network. > > > > Once the private network is formed, we protect it with > a built in > > > > firewall for the Leaf Network Adapter. > > > > > > > > > > > > _______________________________________________ > > > > p2p-hackers mailing list > > > > [email protected] > > > > http://lists.zooko.com/mailman/listinfo/p2p-hackers > > > > > > _______________________________________________ > > > p2p-hackers mailing list > > > [email protected] > > > http://lists.zooko.com/mailman/listinfo/p2p-hackers > > > > > > > > > _______________________________________________ > > > p2p-hackers mailing list > > > [email protected] > > > http://lists.zooko.com/mailman/listinfo/p2p-hackers > > > > _______________________________________________ > > p2p-hackers mailing list > > [email protected] > > http://lists.zooko.com/mailman/listinfo/p2p-hackers > > > > > > _______________________________________________ > > p2p-hackers mailing list > > [email protected] > > http://lists.zooko.com/mailman/listinfo/p2p-hackers > > _______________________________________________ > p2p-hackers mailing list > [email protected] > http://lists.zooko.com/mailman/listinfo/p2p-hackers > > > _______________________________________________ > p2p-hackers mailing list > [email protected] > http://lists.zooko.com/mailman/listinfo/p2p-hackers _______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
