Skeeter + Bubba: two TCP options that might have reshaped the world

Deep in the lore of internet history, in IANA registries and mailing lists, lurks the tale of Skeeter and Bubba. Two innocent numbers that might have changed the fate of many had they been used.

Legend has it that these two legendary rednecks names were to be used for an ad-hoc TCP encryption mechanism. Each TCP flow would do some sort of Diffie-Hellman per connection, and then create a private ciphered link. Sure it has no authentication, and sure it doesn’t protect against man-in-the-middle. But, it would have actually been quite strong.

You see this would make it impractical for many traffic sniffers to operate. Since the Internet is multi-path (see OSPF ECMP for why), its also impractical for non-endpoint devices to man-in-the-middle traffic without being very close to the endpoint. Huge amounts of traffic would be more secure. Industries would have been altered or not existing.

Would it have been perfect? No, no redneck solution ever is. Would it have dramatically improved privacy and security? You betcha. Who wants to resurrect it?

You see, there are perfect solutions. And some say that perfect is the enemy of good enough. Solutions like ipsec and SSL require pre-shared keys or certificate authorities. They are hard to set up. And rarely do they authenticate both ends. This would have just worked, it would not have broken those other methods of improving security. At worst it would be no worse than status quo.

Posted

in

by

db

Tags:

Comments

2 Responses to “Skeeter + Bubba: two TCP options that might have reshaped the world”

  1. Kevin Nisbet

    > Who wants to resurrect it?

    I think using Noise in NN handshake mode would work like this. And we’re getting to the point where noise has an implementation in most major languages, and adoption. Might not be too hard, if someone comes along with a paper and an implementation for a protocol for a popular protocol like http2.

    I would still ask the question though, with the progress that is being made with let’s encrypt and authenticated DH, would we really want to step backwards?

    Reply
  2. db

    I’m not proposing an ‘either or’.
    I’m suggesting that tcp-level encryption would just work at the kernel level for all apps. Of course they should be TLS, and we should work towards mutual TLS for all.

    Just mulling over all the things that would be better if TCP was encrypted where it could be.

    Reply

Leave a Reply to Kevin Nisbet Cancel reply

Your email address will not be published. Required fields are marked *