[e2e] t/tcp and web services

RJ Atkinson rja at extremenetworks.com
Fri Dec 12 05:34:10 PST 2003


	The pity of it all is that what we really need is a network
architecture where we don't use the address as an identifier,
particularly an unauthenticated identifier as people are doing
now (despite widespread understanding of widespread address forgery
in the global Internet).

	Cryptographic solutions to authenticating IP addresses can work,
but are pretty heavy-weight solutions -- especially after one considers
the need for suitable dynamic key management that scales to the
global Internet.

	Sigh.

Ran Atkinson
rja at extremenetworks.com

On Dec 12, 2003, at 02:59, David G. Andersen wrote:
> On Fri, Dec 12, 2003 at 08:22:29AM +0100, Michael Welzl quacked:
>> Dear all,
>>
>> Here's a question:
>>
>> Why is RFC 1644 still experimental when Web Services
>> typically run SOAP over HTTP over regular TCP?
>
> T/TCP has pretty bad and unrectified security problems.
> Or, to quote RFC1644:
>
> "Security Considerations
>     Security issues are not discussed in this memo. "
>
> It makes address spoofing attacks worse against some
> services, particularly rsh and the like, and makes it
> easier to DDoS both a server and use servers as DDoS
> amplifiers against chosen victims.  There are circumstances
> in which T/TCP is a nice thing to use, but a publically
> available webserver isn't one of them -- unfortunately,
> since that's what it was really designed for.




More information about the end2end-interest mailing list