[VPN] Application timeouts over VPN...HELP!
Alex Pankratov
alex at cipherica.com
Thu Apr 10 12:29:51 EDT 2003
James McNeill wrote:
> The more traffic that is exposed with the same key, the easier it will be to
> crypto-analise and discover bad random number generating patterns. For any
> secuerly implemented encryption protocol, this should not be a problem. In
> most cases you either crack the encryption or you don't. Doesn't matter how
> much stuff you have to decrypt.
>
> as for TCP sessions, since the keys and algorithms will all be the same
> between sessions, it won't have any effect on security. anyone capable of
> attacking your VPN tunnel won't care what you do with your TCP sessions. as
> far as your attacker is concerend, a TCP session is just a number in the
> header, but so long as it uses the same tunnel, he won't care. It's the
> contents of the packet that is valuable.
Exactly my point - the length of TCP connection has no effect on the
security of the VPN it's being tunneled over.
I was responding to the following to the following statement ..
safieradam wrote:
> I would .... and point out to the developers that leaving sessions
> open for hours is bad security and not allowed.
.. which was given in the context of ..
Mike Hancock wrote:
> ..I keep saying that they need to speed up response times on their
> TCP communications and send "heartbeats". They call me "Non-Helpful"
.. which in term implied that 'sessions' in first quote are TCP
sessions. If these were not, then there is nothing to talk about,
the issue boils down to a proper use of SA lifetimes; case closed.
>
> having abnormally long/short TCP sessions is bad practice, and likely to
> cause more problems than it's worth.
>
You make it sound as it's a commonly accepted fact . Well, it's not.
There is nothing wrong with 'abnormally' Long/short TCP sessions.
Consider SSH, IMAP, PPTP and multitude of instant messaging protocols
as few examples.
/alex
More information about the VPN
mailing list