On 25 mrt 2008, at 16:10, Dan Wing wrote:
And yes, the issues I referred to are DoS and TCP spoofing.
These can only be protected against at the network level.
What are your thoughts on DTLS's DoS and spoofing protection?
Looks like this is mostly similar to IPsec except that the port
numbers rather than SA is used to demultiplex so the anti-DoS
protection that the sequence number / anti replay counter provides is
less than with IPsec. Also, a quick read of RFC 4347 doesn't reveal
any advice regarding the initial value of the sequence number, so
applications may start at 0 or 1 and make this easy to guess.
I assume this means in the future we'll be running TCP over DTLS over
The part that I don't like about DTLS is the way it avoids dealing
with MTU issues and pretty much tells people to do PMTUD for IPv4 for
UDP even though in theory this is extremely hard to get to work and
practice it never works.
I wonder what kind of security mechanisms we would come up with if we
got to do all of this again from scratch but with the benefit of
hindsight. I'm pretty sure it wouldn't be TLS+IPsec+DTLS. And if I
could go back in time and make sure the person who invented the DF bit
wouldn't make it to work that day, I wouldn't hesitate to do that.
IETF mailing list