Fixing SSL (was Re: Dutch Transport Card Broken)
Dave Korn
dave.korn at artimi.com
Wed Jan 30 12:59:51 EST 2008
On 30 January 2008 17:03, Eric Rescorla wrote:
>>> We really do need to reinvent and replace SSL/TCP,
>>> though doing it right is a hard problem that takes more
>>> than morning coffee.
>>
>> TCP could need some stronger integrity protection. 8 Bits of checksum isn´t
>> enough in reality. (1 out of 256 broken packets gets injected into your TCP
>> stream) Does IPv6 have a stronger TCP?
>
> Whether this is true or not depends critically on the base rate
> of errors in packets delivered to TCP by the IP layer, since
> the rate of errors delivered to SSL is 1/256th of those delivered
> to the TCP layer.
Out of curiosity, what kind of TCP are you guys using that has 8-bit
checksums?
> Since link layer checksums are very common,
> as a practical matter errored packets getting delivered to protocols
> above TCP is quite rare.
Is it not also worth mentioning that TCP has some added degree of protection
in that if the ACK sequence num isn't right, the packet is likely to be
dropped (or just break the stream altogether by desynchronising the seqnums)?
cheers,
DaveK
--
Can't think of a witty .sigline today....
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list