Steve Bellovin;
> >To avoid connection hijacking, cookies, such as TCP port and sequence
> >numbers, is enough, if they are long enough.
>
> That's preposterous. Long-enough numbers are good *if* and only if there are
> no eavesdroppers present.
"good *if* and only if"?
With cookies, a network is as secure as a telephone or fax network, which
is *GOOD* enough for credit card companies.
On the other hand, complex key handling mechanism introduces a
lot of chances for key eavesdropping.
> >You may use optional IPSEC over it for extra security (it is more
> >secure primarily because IPSEC keys are long cookies), but you
> >don't need it.
>
> Nonsense.
Agreed, because TCP port and sequence numbers are long enough.
Masataka Ohta
