On 25 mrt 2008, at 16:10, Dan Wing wrote: > ... >> And yes, the issues I referred to are DoS and TCP spoofing. >> These can only be protected against at the network level. > What are your thoughts on DTLS's DoS and spoofing protection? Looks like this is mostly similar to IPsec except that the port numbers rather than SA is used to demultiplex so the anti-DoS protection that the sequence number / anti replay counter provides is less than with IPsec. Also, a quick read of RFC 4347 doesn't reveal any advice regarding the initial value of the sequence number, so applications may start at 0 or 1 and make this easy to guess. I assume this means in the future we'll be running TCP over DTLS over UDP... The part that I don't like about DTLS is the way it avoids dealing with MTU issues and pretty much tells people to do PMTUD for IPv4 for UDP even though in theory this is extremely hard to get to work and practice it never works. I wonder what kind of security mechanisms we would come up with if we got to do all of this again from scratch but with the benefit of hindsight. I'm pretty sure it wouldn't be TLS+IPsec+DTLS. And if I could go back in time and make sure the person who invented the DF bit wouldn't make it to work that day, I wouldn't hesitate to do that. _______________________________________________ IETF mailing list IETF@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf