On Mon, Feb 26, 2018 at 12:21 AM, Joe Touch <touch@xxxxxxxxxxxxxx> wrote:
I am very skeptical of the justification for performance enhancing
proxies in section 2.2.4. It develops the idea that having a form ofThese are primarily 'satellite games' proxies.. that early-ack and such to make the long satellite portion of the transport seem short(er).They only REALLY need to see TCP headers, so ipsec is problematic, but not (probably) tls.Enabling TCP Hijacking should never be justification for “needing” to avoid transport header privacy, IMO.Games or other apps that “need” such support ought to “need” to explicitly permit it by peering their security with those proxies directly.
apologies: "games" in my reply could better be called: "shennanigans" ... not games like farmville, but messy things the satellite ( in the past anyway) providers would do to make tcp appear to perform better in their environment.
Yes, people COULD ipsec around that problem.
Yes, people COULD md5-tcp around that problem. (tcp-ao, ha!)
generally none of that has happened though.
