Michael Thomas wrote on 08/06/2020 01:21:
well, it could send it to the wrong port, but i'll guess that tls is on to that problem. i mean, it kind of sounds like you're saying the transport checksum failing isn't a big deal? creating a gigantic window would certainly not be a good thing in the face of congestion. transport mode ipsec wouldn't suffer those kinds of problems.
in their current incarnations, transport mode ipsec and tcp-ao aren't deployable at scale in the same way that tls is.
Regarding transport layer integrity, there are distant echoes of the old circuit-switched vs packet-switched arguments going on here. tcp/ip made circuit switching redundant by loosening its assumptions about transport layer reliability. I wonder are we now seeing something similar with TLS, which no longer depends on either underlying transport or ip header integrity by pushing data stream integrity management higher up the stack.
Nick
