- From: Simon Spero <ses@tipper.oit.unc.edu>
- Date: Sat, 28 Oct 1995 13:46:21 -0700 (PDT)
- To: Jeffrey Mogul <mogul@pa.dec.com>
- Cc: Beth Frank <efrank@ncsa.uiuc.edu>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Fri, 27 Oct 1995, Jeffrey Mogul wrote: > > Anyway, I would summarize this as: > (1) we should be worried about TCP connection hijacking > (2) persistent connections might make the problem better > (3) or (less likely) they might make it worse > (4) but cryptography is the only real solution. > Point four is the key point here. The most important thing to remember is that unauthenticated IP packets should never be trusted for security purposes. Authentication can't be done at connection establishment; it must be done for each and every application level message. There are strong CJR-able solutions that can are available to handle this (keyed-MD5 is a good symmetric-key solution). While we're on the subject of TCP - does anybody have a web-server attached to the internet that's running TCP-Vegas? And has anybody hacked up Vegas style congestion control for Linux or Solaris? I'd like to do some measurements of how much of a win Vegas is for HTTP-NG (pre-Reno congestion control reduces some of the latency win, Reno lets it pull away, and Vegas should be an even bigger win. Oh, and does anybody have any scripts to do tcpdump-to-gnuplot convesion? Simon --- (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n))))
Received on Saturday, 28 October 1995 13:50:15 UTC