I'd like to have one more word on this. SEAL now has a means for the tunnel endpoints to synchronize sequence numbers. This is a loose synchronization (not a strict one) because SEAL needs to account for packet loss, reordering, etc. Also, unlike TCP, SEAL makes no provisions for reliable delivery, because reliability is the responsibility of higher layers.
Once synchronized, tunnel endpoints can detect and ignore off-path spoofing attacks since it will be difficult or impossible for an off-path attacker to guess sequence numbers with any regularity (the sequence numbers are long). The synchronized tunnel endpoints can then exchange secure neighbor discovery messages to secure the IRON-RANGER prefix registrations and redirections. I don't know of any other proposals that have a means for detecting and avoiding off-path DoS attacks in this way. Is this something that should be mentioned in the critique or the rebuttal? Thanks - Fred fred.l.temp...@boeing.com > -----Original Message----- > From: rrg-boun...@irtf.org [mailto:rrg-boun...@irtf.org] On Behalf Of Tony Li > Sent: Monday, February 22, 2010 10:09 PM > To: Robin Whittle; RRG > Subject: Re: [rrg] RANGER and SEAL critique > > > > > > > This is my attempt to write a critique of RANGER and SEAL for the > > RRG Report. The SEAL critique is at the end. > > > > Since there is a 500 word limit for the RRG report, I suggest > > that just the first 7 paragraphs be used. Trying to discuss > > RANGER in any more detail quickly expands to much larger task. > > > I've incorporated this. > > Tony > > > _______________________________________________ > rrg mailing list > rrg@irtf.org > http://www.irtf.org/mailman/listinfo/rrg _______________________________________________ rrg mailing list rrg@irtf.org http://www.irtf.org/mailman/listinfo/rrg