[114306] in cryptography@c2.net mail archive
RE: Fixing SSL (was Re: Dutch Transport Card Broken)
daemon@ATHENA.MIT.EDU (Dave Korn)
Wed Jan 30 13:59:59 2008
From: "Dave Korn" <dave.korn@artimi.com>
To: "'Eric Rescorla'" <ekr@networkresonance.com>,
=?iso-8859-1?Q?'Philipp_G=FChring'?= <pg@futureware.at>
Cc: "'Cryptography'" <cryptography@metzdowd.com>
Date: Wed, 30 Jan 2008 17:59:51 -0000
In-Reply-To: <20080130170327.DF3EB5081A@romeo.rtfm.com>
On 30 January 2008 17:03, Eric Rescorla wrote:
>>> We really do need to reinvent and replace SSL/TCP,
>>> though doing it right is a hard problem that takes more
>>> than morning coffee.
>>=20
>> TCP could need some stronger integrity protection. 8 Bits of checksum =
isn=B4t
>> enough in reality. (1 out of 256 broken packets gets injected into =
your TCP
>> stream) Does IPv6 have a stronger TCP?
>=20
> Whether this is true or not depends critically on the base rate
> of errors in packets delivered to TCP by the IP layer, since
> the rate of errors delivered to SSL is 1/256th of those delivered
> to the TCP layer.=20
Out of curiosity, what kind of TCP are you guys using that has 8-bit
checksums?
> Since link layer checksums are very common,
> as a practical matter errored packets getting delivered to protocols
> above TCP is quite rare.
Is it not also worth mentioning that TCP has some added degree of =
protection
in that if the ACK sequence num isn't right, the packet is likely to be
dropped (or just break the stream altogether by desynchronising the =
seqnums)?
cheers,
DaveK
--=20
Can't think of a witty .sigline today....
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
