nanog mailing list archives
Re: key change for TCP-MD5
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Sat, 24 Jun 2006 01:17:31 +0200
On 24-jun-2006, at 0:43, Owen DeLong wrote:
Why couldn't the network device do an AH check in hardware before passingthepacket to the receive path? If you can get to a point where all connectionsor traffic TO the router should be AH, then, that will help with DOS.
If you care that much, why don't you just add an extra loopback address, give it an RFC 1918 address, have your peer talk BGP towards that address and filter all packets towards the actual interface address of the router?
The chance of an attacker sending an RFC 1918 packet that ends up at your router is close to zero and even though the interface address still shows up in traceroutes etc it is bullet proof because of the filters.
(This works even better with IPv6 link local addresses, those are guaranteed to be unroutable.)
Current thread:
- Re: key change for TCP-MD5, (continued)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 26)
- RE: key change for TCP-MD5 Bora Akyol (Jun 21)
- RE: key change for TCP-MD5 Randy Bush (Jun 21)
- Re: key change for TCP-MD5 Richard A Steenbergen (Jun 21)
- backbone threats [Re: key change for TCP-MD5] Pekka Savola (Jun 26)
- RE: key change for TCP-MD5 Randy Bush (Jun 21)
- RE: key change for TCP-MD5 Barry Greene (bgreene) (Jun 23)
- Re: key change for TCP-MD5 Todd Underwood (Jun 23)
- Re: key change for TCP-MD5 Richard A Steenbergen (Jun 23)
- Re: key change for TCP-MD5 Richard A Steenbergen (Jun 23)
- Re: key change for TCP-MD5 Todd Underwood (Jun 23)
- RE: key change for TCP-MD5 Owen DeLong (Jun 23)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 23)
- Re: key change for TCP-MD5 Patrick W. Gilmore (Jun 23)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 24)
- Re: key change for TCP-MD5 Valdis . Kletnieks (Jun 23)
- Re: key change for TCP-MD5 Roland Dobbins (Jun 23)
- Re: key change for TCP-MD5 Richard A Steenbergen (Jun 24)