On May 31, 2022, at 8:29 AM, Tero Kivinen <kivi...@iki.fi> wrote:
>
> I think we should tear down the TCP stream immediately if we detect
> that length bytes can't be correct.
If that’s the case, then you’re opening up this approach to a much lower bar to
attacks.
It would be significantly more useful to find a way to resync. I don’t have any
particular suggestions there, except maybe when sync is lost to scan for a
known byte pattern and try to resync there. If the IPsec then starts to work
again, you’re set. If not, you keep scanning.
This is the approach ATM used to find cell boundaries.
Is there a reason not to include that as a fallback when such attacks are seen
as a mitigation to avoid the restart overhead??
Joe
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
