On 8/18/2014 3:07 PM, Scheffenegger, Richard wrote:
Hi Alfie,
my concern is with the use of a static ISN for each 4-tuple; this
significantly increases the chance of a collision between sessions (ie.
when the sender terminates a sluggish earlier session, some segments of
that last session will very likely be in-window for a session that was
started a short time later).
+1, and I haven't seen a satisfactory answer to this yet.
FWIW, the doc refers to TCP MD5, which has been deprecated and replaced
by TCP-AO. TCP-AO has an experimental extension to support NAT traversal.
Additionally, responding with a TCP RST isn't the best response if
you're trying to hide from port knocking. Silence is best in that case.
Joe
_______________________________________________
Tcpinc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tcpinc
