<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: Sandino Araico Sanchez <sandino,AT,sandino,DOT,net>
Subject: Re: Replays - thoughts on Gutmann response
From: "Eric M. Hopper" <hopper,AT,omnifarious,DOT,org>
Date: Tue, 07 Oct 2003 23:50:43 -0500
Cc: cipe-l,AT,inka,DOT,de
In-reply-to: <3F834DFF.20808@sandino.net>
Organization: Omnifarious Software
References: <944775566166B64B9A2DD5EE0159B5CDBA2A@europa.directory.futurefoundations.com> <1064557595.7652.134.camel@monster.omnifarious.org> <200309261016.46517.alatham@flexsys-group.com> <3F834DFF.20808@sandino.net>

On Tue, 2003-10-07 at 18:36, Sandino Araico Sanchez wrote:
> If we use TCP instead of UDP for key exchange the replay problem can be 
> worked around and there's no performance impact since there's no TCP 
> over TCP encapsulation in key exchange.
> 
> There's lower complexity using UDP exclusively for traffic and TCP 
> exclusively for key exchange since we don't need  to find out if the 
> received UDP package contains a package or a key. When we are sure no 
> UDP package contains a key we just need to check integrity, decrypt the 
> encapsulated package and pass it to the upper layer so the process is 
> simplified.

First, that makes key exchanges easy to find, though I consider that a
minor problem.

The biggest problem is that TCP is much harder to get through a NAT or
firewall than UDP is.

*sigh*,
--
There's an excellent C/C++/Python/Unix/Linux programmer with a wide
range of other experience and system admin skills who needs work.
Namely, me. http://www.omnifarious.org/~hopper/resume.html
-- Eric Hopper <hopper,AT,omnifarious,DOT,org>

Attachment: signature.asc
Description: This is a digitally signed message part


<< | Thread Index | >> ]    [ << | Date Index | >> ]