nanog mailing list archives
Re: TCP/BGP vulnerability - easier than you think
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Wed, 21 Apr 2004 21:47:22 +0200
On 21-apr-04, at 21:17, Paul Jakma wrote:
I'm not recommending this for "small" peers as the crypto DoS risk is worse than what happens when the attack is executed successfully.
Why would MD5 be more of a crypto DoS risk with IPSec AH headers than with bgp tcp-md5?
Beats me. But why do you bring up IPsec?Anyway, what needs to happen is a form of crypto where the expensive algorithms are only executed for good packets and not for all packets.
For instance, in addition to the regular MD5 checksum we also include a checksum of part of the sequence number and the/a password. Since we know what sequence numbers to expect, we can calculate these additional checksum beforehand so the only thing that needs to happen for each (possibly spoofed) packet is checking whether it contains the right sequence number derived checksum. If it does, we know that the packet came from the actual peer so we proceed to check the MD5 checksum to make sure the data wasn't modified in transit.
Current thread:
- Re: TCP/BGP vulnerability - easier than you think, (continued)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Paul Jakma (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Paul Jakma (Apr 21)
- RE: TCP/BGP vulnerability - easier than you think David Luyer (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Crist Clark (Apr 22)
- Re: TCP/BGP vulnerability - easier than you think John Kristoff (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think E.B. Dreger (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 22)
- Re: TCP/BGP vulnerability - easier than you think Paul Jakma (Apr 23)
- Re: TCP/BGP vulnerability - easier than you think E.B. Dreger (Apr 21)
- Message not available
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 23)
- Message not available
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 23)