On Fri, Aug 1, 2014 at 4:28 PM, Eric Rescorla <[email protected]> wrote: > On Fri, Aug 1, 2014 at 2:25 PM, Nico Williams <[email protected]> wrote: >> >> Highly desirable: integrity protection for close/ EOF / RST. >> > >> > For reasons that people have already gone onto on the list, >> > I think this minimally needs to be optional. >> >> Perhaps so. If middleboxes make that too hard then yes, it should be >> optional, and probably default to off. (Though middlebox presence >> could be detected by exchanging hashes of the SYN handshake, no?) > > > The issue isn't middleboxes; it's that if you require integrity protection > for RSTs, then there's no way for a box that reboots to send you an > RST.
Well, with DANE in mind... if the RST sender is the server, it could sign it. The client can't, unless it gave the server a public key that will persist and could be used for it to sign an RST. But yes, that's why I wouldn't make it a strong requirement. _______________________________________________ Tcpinc mailing list [email protected] https://www.ietf.org/mailman/listinfo/tcpinc
