[e2e] t/tcp and web services
Armando L. Caro Jr.
me at armandocaro.net
Fri Dec 12 13:51:09 PST 2003
On 12 Dec 2003, Michael Welzl wrote:
> Still, a web service is mainly a RPC - so there is
> still quite a reason to worry about the single-shot
> requests. Wouldn't a more secure variant of T/TCP
> that utilizes cookies (as in SCTP), nonces and
> such be worth thinking about? Or is that just
> impossible because of T/TCP's very nature?
It may not be impossible, but T/TCP would definitely need more changes
than simply including syncookies. The TCP syncookie/SCTP approach alone
doesn't work. By the time the server responds with a SYN-ACK on a T/TCP
connection, the damage of an attack is already done.
~armando
0-- --0
| Armando L. Caro Jr. | Protocol Engineering Lab |
| www.armandocaro.net | University of Delaware |
0-- --0
More information about the end2end-interest
mailing list