TLS isn’t “transport layer”. It’s app-layer. TCP-AO is transport layer - and would similarly protect against middlebox modifications. Joe > On Jun 7, 2020, at 2:16 PM, Michael Thomas <mike@xxxxxxxx> wrote: > > > On 6/7/20 12:39 PM, Christian Huitema wrote: >>> On Jun 7, 2020, at 12:08 PM, Joseph Touch <touch@xxxxxxxxxxxxxx> wrote: >>> >>> Overall, I’d feel a lot better about upending transport checksums if we had evidence that the checksum wasn’t catching errors. If the checksum is correct because it’s being constantly recomputed without being checked, a new alg won’t fix the issue. >> Or, use a keyed cryptographic checksum and do not give the key to middleboxes. >> > I've always had an unease about transport layer security vs transport IPsec. At least I now have something to hang my hat on. > > Mike > >
