[e2e] Receiving RST on a MD5 TCP connection.
Joe Touch
touch at ISI.EDU
Fri Jul 1 09:29:43 PDT 2005
Mitesh Dalal wrote:
...
>>Another point along these lines - if you had a secure connection with
>>another host, then the host reboots and 'forgets' the security
>>altogether (i.e., doesn't reestablish keys), it shouldn't be able to
>>reset the old connection anyway.
>
> and why would that be Joe ? By saying so you have no love for network
> reliability. Do you know networks can go down if MD5 enabled LDP
> connection cannot recover from this problem and rely on timeouts
> to recover ? Do you know the same thing can happen to BGP ?
> Security shouldnt come at the cost of reliablity!
New keys should - as I noted later in my post - flush state associated
with old keys. Lacking new keys, old state does no harm, since new
connections shouldn't occur.
Recovering from a problem doesn't mean leaving your doors unlocked.
Joe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://www.postel.org/pipermail/end2end-interest/attachments/20050701/602e4a0e/signature-0001.bin
More information about the end2end-interest
mailing list