[e2e] t/tcp and web services

kfl kfl at xiphos.ca
Fri Dec 12 07:47:39 PST 2003


Hi,

> -----Original Message-----
> From: end2end-interest-admin at postel.org
> [mailto:end2end-interest-admin at postel.org]On Behalf Of Michael Welzl
> Sent: Friday, December 12, 2003 3:11 AM
> To: David G. Andersen
> Cc: end2end-interest at postel.org
> Subject: Re: [e2e] t/tcp and web services
>
>
> Still, a web service is mainly a RPC - so there is
> still quite a reason to worry about the single-shot
> requests. Wouldn't a more secure variant of T/TCP
> that utilizes cookies (as in SCTP), nonces and
> such be worth thinking about? Or is that just
> impossible because of T/TCP's very nature?

T/TCP does not accept CC options and data in first SYN blindly, the first
connection between two T/TCP hosts will never carry the extra payload.
Subsequent connections will
be T/TCP enabled only if the first one was successfull. That rules out the
most
basic SYN flood attacks. Although an attacker could always devise a modified
syn flood
attack, this first barrier would protect from most of them.

Moreover, in FreeBSD, T/TCP has syncache and syncookies and as far
as I know they work just fine.

Karim.





More information about the end2end-interest mailing list