[114307] in cryptography@c2.net mail archive
Re: Fixing SSL (was Re: Dutch Transport Card Broken)
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Wed Jan 30 14:01:10 2008
Date: Wed, 30 Jan 2008 10:06:14 -0800
From: Eric Rescorla <ekr@networkresonance.com>
To: "Dave Korn" <dave.korn@artimi.com>
Cc: "'Eric Rescorla'" <ekr@networkresonance.com>, 'Philipp
=?ISO-8859-1?Q?G=FChring=27?= <pg@futureware.at>, "'Cryptography'"
<cryptography@metzdowd.com>
In-Reply-To: <005b01c86369$e9693040$2e08a8c0@CAM.ARTIMI.COM>
At Wed, 30 Jan 2008 17:59:51 -0000,
Dave Korn wrote:
>=20
> On 30 January 2008 17:03, Eric Rescorla wrote:
>=20
>=20
> >>> We really do need to reinvent and replace SSL/TCP,
> >>> though doing it right is a hard problem that takes more
> >>> than morning coffee.
> >>=20
> >> TCP could need some stronger integrity protection. 8 Bits of checksum =
isn=B4t
> >> enough in reality. (1 out of 256 broken packets gets injected into you=
r TCP
> >> stream) Does IPv6 have a stronger TCP?
> >=20
> > Whether this is true or not depends critically on the base rate
> > of errors in packets delivered to TCP by the IP layer, since
> > the rate of errors delivered to SSL is 1/256th of those delivered
> > to the TCP layer.=20
>=20
> Out of curiosity, what kind of TCP are you guys using that has 8-bit
> checksums?
You're right. It's 16 bit, isn't it. I plead it being early in=20
the morning. I think my point now applies even moreso :)
> > Since link layer checksums are very common,
> > as a practical matter errored packets getting delivered to protocols
> > above TCP is quite rare.
>=20
> Is it not also worth mentioning that TCP has some added degree of prote=
ction
> in that if the ACK sequence num isn't right, the packet is likely to be
> dropped (or just break the stream altogether by desynchronising the seqnu=
ms)?
Right, so this now depends on the error model...
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
