> From: Joe Touch <touch@ISI.EDU>
> ...
> redirection proxy and set of web caches redirected to - are responsible
> for maintaining the IP ID uniqueness, since they, as a whole, intend to
> represent a single IP address.
>
> (in the trivial case I outlined, that uniqueness is ensured by the use
> of source-determined demux; anytime packets with the same source/dest
> pair can go to the different endpoints, uniqueness must be otherwise
> avoided, e.g., out of band messages between the endpoints.)
>
> The same applies, BTW, for port reuse and TCP sequence spaces. Sets of
> endpoints aliasing as a single must coordinate and ensure uniqueness.
yep.
As long as local system maintains the illusion to the remote peer of being
a correctly functioning host, everything else, including geographical
dispersion is an irrelevant internal implementation detail.
IPSEC and application layer security are canaries that swoon early when
third parties try to improve the situation.
> > A NAT box can also do the wrong thing with IP fragmentation, and in more
> > plausible scenarioes than 600 byte URL's or PUT's. Consider two client
> ...
> Hmmm - is that observation in the NAT specs? If not, is it something
> that should be addressed separately there, or in the Transparency
> Hazards doc??
As I understand your document, it's off topic.
I understand it as "Third Party Redirection Proxies Considered Harmful."
The bit about third party HTTP redirection proxies being based on
replay attacks exemplifies the sense.
Vernon Schryver vjs@rhyolite.com
This archive was generated by hypermail 2b29 : Thu Nov 18 2004 - 11:21:28 MST