I agree that protecting against rogue middleboxes is a great goal. That
said, I'm concerned about the possibility of doing it in a way that
prevents authorized middleboxes from working.
The element of some of the proposals that I'm most concerned about in
this regard is one that uses the end-to-end data stream authenticator to
provide authentication for the TCP header. This prevents some legitimate
TCP optimization middleboxes from improving data delivery rates without
requiring them to participate in protection of the data stream itself,
in that they must have access to the key that authenticates the data in
order to rewrite the TCP headers. I prefer a solution that requires such
a middlebox to have access to the smallest amount of keying material
possible in order to limit its capability to make changes to anything
but what it must change in order to function.
I'm not arguing against header authentication (though I'm not
specifically arguing in favor of it either). I'm simply suggesting that
if the headers are to be authenticated, merging header and data
authenticators could mean that a broader range of middleboxes are
prevented from working.
--Brandon
On 07/28/2014 11:48 AM, Joe Touch wrote:
IMO, if you're not protecting the TCP header the solutions should not be
called TCP anything, nor should it be integrated as a TCP option. It's
basically just TLS with no signature on either end, and that ought to
suffice if that's all you really want.
However, protection from rogue middleboxes is something I'd appreciate,
and that can't be done solely as a payload of the transport layer.
Joe
On 7/27/2014 11:57 PM, marcelo bagnulo braun wrote:
Hi,
As we discussed in the meeting, we should try to make some design
decisions for TCPINC.
One of them is whether to protect or not the TCP header.
I would like to start the discussion on this topic. Arguments on one way
or the other?
regards, marcelo
_______________________________________________
Tcpinc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tcpinc
_______________________________________________
Tcpinc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tcpinc
--
Brandon Williams; Senior Principal Software Engineer
Emerging Products Engineering; Akamai Technologies Inc.
_______________________________________________
Tcpinc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tcpinc
