[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The cost of crypto in end-host multi-homing (was Re: The stateof IPv6 multihoming development)
In TCP the attacker can anticipate what you send and send
you faked acks, probably even trick you to send data on
much faster rate than what you otherwise would do.
Good point. We need something to protect against that.
The checking just takes on round trip, and you can even
piggypack your regular data.
Yes, that would be a good way to handle it. Do you agree that doing this
at the time the first choice address becomes unavailable makes more
sense than doing it at the time of initialization?
From the security point of view it doesn't make much difference
whether you make the check in the beginning or when the first
choice address becomes unavailable. What is important is that
you can strongly bind the existing connection between the first
address pair to the secodary addresses, and that you check the
validity of the secondary address before sending any larger amounts