>>>>> "Steven" == Steven M Bellovin <[email protected]> writes:
Steven> You're right -- IPsec will not permit window-size
Steven> spoofing. To understand why, imagine that an enemy were
Are there not TCP options that allow the window size to be
expanded? I realize that those options are not widely deployed. I will
postulate this:
- real systems without the expanded window size options probably
don't have IPsec either.
- VPN gateways already have a machine at each end that could
do the window-size spoofing, and in the case of per-host
keying, already have almost all the state as well. Seems like
a neat value add to me.
] Network Security Consulting and Contract Programming | SSH IPsec [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |international[
] [email protected] http://www.sandelman.ottawa.on.ca/ |strong crypto[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
This archive was generated by hypermail 2b29 : Mon Feb 14 2000 - 16:14:38 EST