[e2e] t/tcp and web services

Armando L. Caro Jr. me at armandocaro.net
Fri Dec 12 13:51:09 PST 2003


On 12 Dec 2003, Michael Welzl wrote:

> Still, a web service is mainly a RPC - so there is
> still quite a reason to worry about the single-shot
> requests. Wouldn't a more secure variant of T/TCP
> that utilizes cookies (as in SCTP), nonces and
> such be worth thinking about? Or is that just
> impossible because of T/TCP's very nature?

It may not be impossible, but T/TCP would definitely need more changes
than simply including syncookies. The TCP syncookie/SCTP approach alone
doesn't work. By the time the server responds with a SYN-ACK on a T/TCP
connection, the damage of an attack is already done.

~armando

0--                                              --0
| Armando L. Caro Jr.  |  Protocol Engineering Lab |
| www.armandocaro.net  |    University of Delaware |
0--                                              --0




More information about the end2end-interest mailing list