[Top] [All Lists]

Re: TLS vs. IPsec (Was: Re: experiments in the ietf week)

2008-03-26 05:25:51
On 25 mrt 2008, at 16:10, Dan Wing wrote:

And yes, the issues I referred to are DoS and TCP spoofing.
These can only be protected against at the  network level.

What are your thoughts on DTLS's DoS and spoofing protection?

Looks like this is mostly similar to IPsec except that the port  
numbers rather than SA is used to demultiplex so the anti-DoS  
protection that the sequence number / anti replay counter provides is  
less than with IPsec. Also, a quick read of RFC 4347 doesn't reveal  
any advice regarding the initial value of the sequence number, so  
applications may start at 0 or 1 and make this easy to guess.

I assume this means in the future we'll be running TCP over DTLS over  

The part that I don't like about DTLS is the way it avoids dealing  
with MTU issues and pretty much tells people to do PMTUD for IPv4 for  
UDP even though in theory this is extremely hard to get to work and  
practice it never works.

I wonder what kind of security mechanisms we would come up with if we  
got to do all of this again from scratch but with the benefit of  
hindsight. I'm pretty sure it wouldn't be TLS+IPsec+DTLS. And if I  
could go back in time and make sure the person who invented the DF bit  
wouldn't make it to work that day, I wouldn't hesitate to do that.
IETF mailing list