nanog mailing list archives
RE: key change for TCP-MD5
From: "Barry Greene (bgreene)" <bgreene () cisco com>
Date: Sat, 24 Jun 2006 03:07:28 -0700
Why couldn't the network device do an AH check in hardware before passing the packet to the receive path? If you can get to a point where all connections or traffic TO the router should be AH, then, that will help with DOS.
There is no push from the operators to look at AH check or the SPI check in before the receive path punt. The push was to get something the lowest common denominator engineering in the NOC can handle with a BGP key roll. Hence draft-bonica-tcp-auth. Many operators. Build on the operator's requirements. Build on experience with similar techniques. Three vendors agree - all with working code.
If you can limit what devices _SHOULD_ talk to the router and at least define some subset of that from which you demand AH on every packet, that helps but isn't a complete solution.
This is a major path. Everything from recoloring the packets coming into your network to BCP38 to new tricks. But that is a different conversation.
Current thread:
- Re: key change for TCP-MD5, (continued)
- Re: key change for TCP-MD5 Patrick W. Gilmore (Jun 23)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 24)
- RE: key change for TCP-MD5 Bora Akyol (Jun 23)
- Re: key change for TCP-MD5 Valdis . Kletnieks (Jun 23)
- RE: key change for TCP-MD5 Bora Akyol (Jun 23)
- Re: key change for TCP-MD5 Roland Dobbins (Jun 23)
- RE: key change for TCP-MD5 Barry Greene (bgreene) (Jun 24)
- RE: key change for TCP-MD5 Barry Greene (bgreene) (Jun 24)
- RE: key change for TCP-MD5 Barry Greene (bgreene) (Jun 24)
- Re: key change for TCP-MD5 Richard A Steenbergen (Jun 24)
- RE: key change for TCP-MD5 Barry Greene (bgreene) (Jun 24)