That is also correct. There was evidently a long discussion about this before I got involved, at least partly because tcpcrypt originally relied on sender segment integrity instead of using a TLV construction. Middleboxes unfortunately put a lot of constraints on how protocols can be used, which (I'm guessing?) is part of the reason QUIC encrypts as much data as possible.
Kyle On Tue, Mar 8, 2016 at 1:01 PM, Jana Iyengar <[email protected]> wrote: > I believe that the TCP header is not *authenticated* either, since > middleboxes may resegment TCP segments. > > On Tue, Mar 8, 2016 at 7:14 AM, Smith, Kevin, (R&D) Vodafone Group > <[email protected]> wrote: >> >> Great, thanks both for the confirmation. >> >> -------- Original Message -------- >> >> Subject: Re: [tcpinc] tcpcrypt - what's encrypted? >> >> From: Mirja Kühlewind <[email protected]> >> >> Date: 8 Mar 2016 14:55 >> >> To: "Smith, Kevin, (R&D) Vodafone Group" <[email protected]> >> >> That was discussed early after starting of the working group and the group >> decided to not encrypt any header fields to increase deployability. >> >> Mirja >> >> >> > Am 08.03.2016 um 15:16 schrieb Black, David <[email protected]>: >> > >> > That's correct - the TCP headers are not encrypted by any tcpinc >> > security protocol (the >> > TLS profile is similar in this regard). To encrypt TCP headers, >> > something like IPsec is >> > needed. >> > >> > Thanks, --David >> > >> > >> >> -----Original Message----- >> >> From: Tcpinc [mailto:[email protected]] On Behalf Of Smith, >> >> Kevin, (R&D) >> >> Vodafone Group >> >> Sent: Tuesday, March 08, 2016 6:05 AM >> >> To: tcpinc >> >> Subject: [tcpinc] tcpcrypt - what's encrypted? >> >> >> >> Apologies if this is obvious and I've missed it in the docs - but >> >> please can someone >> >> confirm if the TCP protocol itself is encrypted as part of tcpcrypt, >> >> i.e. the ACKs, >> >> MSS, cwnd etc. etc. will not be visible to any middleboxes? A quick >> >> test shows >> >> them still visible to a packet capture... >> >> >> >> Cheers >> >> Kevin >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> Tcpinc mailing list >> >> [email protected] >> >> https://www.ietf.org/mailman/listinfo/tcpinc >> > >> > _______________________________________________ >> > Tcpinc mailing list >> > [email protected] >> > https://www.ietf.org/mailman/listinfo/tcpinc >> >> >> _______________________________________________ >> Tcpinc mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/tcpinc > > > > _______________________________________________ > Tcpinc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tcpinc _______________________________________________ Tcpinc mailing list [email protected] https://www.ietf.org/mailman/listinfo/tcpinc
