-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Drew, > For one thing it requires allocating storage for this is in the > messages. It is an interesting question how much storage is > required but the naive implementation would be a 128-bit GUID. For > a 4-byte messages this bloats the network traffic significantly. > Particularly when there is a simple solution with zero > overhead—pull the pipe key from nanomsg. The pipe ID is not guaranteed to be permanently associated with a single endpoint. Because of connects and disonnects you can get one message with pipe ID 123 from peer A and next one with the same pipe ID from peer B. Thus, you could use the ID only as a hint to the oracle: "Do full authentication, but start checking the peer known so far under ID 123." That being the case, you can as well embed 2-byte or 4-byte random integer to each message and use that as a hint. In former case the probability of collision drops 65536x, in the latter 4294967296x, which looks sufficient IMO. As for the TCP level: If you are a MITM and you are able to intercept the TCP connection to get the ID to used for a DoS attack, you can as well send some fake RST packets to kill the old connection. Sending a RST packet is definitely simpler than doing DPI. Martin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTacj6AAoJENTpVjxCNN9YoGMH/iIo1Fcl4QgJCVtt10iPidcV pwHdH1e4/e2sFyiRGG/urx1PNwWj/FOeDHcjuhTUG+GpGNOG9+4wbeIO9NGO5XIl JXrq5FZexxnyBWfJdvzy83vC5iJyfEKe8GUkMQ45L0V/maD+/cfYLNf2a52ys2m7 uY2foYTG93ifur5xTQpzWZVNuCNYoPECwviQv+KG1xnVOUfdxOWRMaIx6C/eEmwd WQAcHMmhz+XNfbNstwHSbGlhMtjAzBumOWos5mtR6NzRVcvelBvFhWKhATJB5kjc IHMPqaonoGXl9oa0UC6ZNT/L9SFFYo4uat9XqnDUNci7HDpzjxZ8+A2PJ5tBG18= =Cf0B -----END PGP SIGNATURE-----