This brings up an interesting point; having a record length that corresponds to the TCP segment size can help hardware implementations such that they don't need to deal with scatter/gather; i.e. one TCP segment corresponds to a single TLS record. This goes along with 8 (or 4) byte record lengths for hardware implementations.
-- -Todd Short // Sent from my iPhone // "One if by land, two if by sea, three if by the Internet." > On Nov 29, 2015, at 8:40 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > > Nikos Mavrogiannopoulos <n...@redhat.com> writes: > >> I believe your proposal is a nice example of putting the cart before the >> horse. Before proposing something it should be clear what do you want to >> protect from, what is the threat? > > Exactly. If you want to thwart traffic analysis, you need to do something > like what's done by designs like Aqua ("Towards Efficient Traffic-analysis > Resistant Anonymity Networks"), or ideas from any of the other anti-traffic- > analysis work that's emerged in the past decade or two. You get traffic > analysis resistance by, for example, breaking data into fixed-length > packets, using cover traffic, and messing with packet timings, not by > encrypting TLS headers. > > Peter. > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls