search for: middleboxen

On 15 January 2016 at 08:48, Alex Bligh <alex at alex.org.uk> wrote: > > The socket option is enabled *after* connection establishment, thus > > doesn't protect against SYN floods. This is because server doesn't > > know (in userspace) what the address of the peer is until they > > connect. Again because signed addresses. > So could they exchange a secret

...session key I suppose if the concern was > entropy. > > The idea would be for this to detect NAT (without revealing private > IP addresses) and avoid TCP-MD5SIG if it's in use, but for TCP-MD5SIG > to be off by default anyway. The reason for this is that it might not > detect middleboxen (e.g. firewalls) that effectively proxy the TCP > session or strip the packets. A couple of dummy ECHO/ECHO REPLY TCP > options are used in order to detect such stripping. Don't these extra roundtrips further increase the latency of ssh connection setup (e.g. imagine a high-bandwidth&amp...