Re: Cisco, and software patents.

[Matt Hargett <matt () use net>]

Florian Weimer wrote:

> IMHO, there are two flaws.  The first one is the change that advises
> to send an ACK in response to certain RST segments.  This seems to be
> an unnecessary drastic change to the TCP state machine.  My other
> concern is more fundamental: If we start fixing weak points of the TCP
> state machine by fiddling with it, we might be forced to roll out a
> TCP upgrade twice a year, for the forseeable future.  This is not
> acceptable.  If we want to protect the TCP state engine against blind
> insertion attacks, we should introduce a "v-tag" or "cookie" that is
> the same in both directions, is negotiated at connection
> establishment, and remains constant during its lifetime.  This concept
> is borrowed from SCTP, so it should be free from IPR claims.

Didn't Moskowitz suggest the same thing with his HIP (Host 
Identification Protocol) proposal 4 or 5 years ago? (I think it was 
2000, but my memory is fuzzy.) I personally find both to be equally 
impractical; to the point where I thought Moskowitz was joking when he 
made his proposal at the DDoS BoF at NANOG. He seemed to think a 
solution like this one would get deployed before IPv6, which was 
probably more correct than it is now, but still seems quite delusional 
to me.

Of course, if Cisco backs some "solution" and just puts it into IOS, 
then it will by default be used. Same as if Microsoft put something 
similar into a service pack and didn't give people the option to not use it.

At the very least, it doesn't violate the "smart ends, dumb middle" 
ethic like so many other proposed solutions to DDoS problems people kept 
suggesting when I still paid attention to these things.



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave