[dwviel]

Great comments.

1. See my reply to theamk above 2. The padding is good, but it needs to be the exact same size for all packets, which implies always using the biggest size. 3. See my reply to theamk above.

We are expecting to run over unreliable networks that may have intermittent dropouts, so connection based solutions would require repeatedly reestablishing the connections, which would be cumbersome. The replay attack protection only exists within a connected sequence.

Overall we think that our solution is simpler and less error prone to configure, and can operate over a wider range of conditions than existing solutions with fewer constraints.

[theamk]

1. Your reply was "SYN cookies can be a solution, but it has limitations, and to overcome those limitations requires changes to the TCP protocol." Can you tell me more about these limitations? I thought the SYN cookies work pretty well. And they are pretty simple to setup -- in fact, they need no setup at all, as they are already enabled by default in the recent distributions.

2. Right, so how does your protocol solve a padding problem? Why won't this method work with ZeroMQ?

3. As I was saying above, this is still wrong. Both TLS and CurveZMQ are protected against replay attack.