> On Jun 4, 2020, at 2:26 PM, Craig Partridge <craig@xxxxxxxxxxxxx> wrote: > > > The SSH spec says terminate on failure and that it requires a reliable underpinning. > > Termination on error is no good. One of the studies shows huge failure rates (over 50%) for large file transfers. One guess is that's due to security protocols terminating when TCP hands up something with an error. Good thing that the IETF is nearing completion of the work on QUIC version 1.. I don't know whether you followed that, Craig, but QUIC plus UDP provides pretty much the same services as TLS plus TCP, including protection of every packet using AEAD encryption and checksum. Error not detected by the UDP checksum will most probably be detected by the 16 bits AEAD checksum. Your note mentions that errors are so frequent that some might not be detected by the MD5 checksum. That's a tall claim. MD5 provides a 128 bit cryptographic checksum, so the chances of not detecting an error are something like 1/2^128, something like 1.0E-38. There are attacks against MD5, which is why it is now deprecated. But these are cryptographic attacks, requiring significant computations to obtain two packets that would get the same checksum. We are speaking here of randomly flipping a few bits, which is completely different. Any robust 128 checksum will detect that. -- Christian Huitema