Re: TCP/BGP vulnerability - easier than you think

[Paul Jakma <paul () clubi ie>]

On Thu, 22 Apr 2004, Iljitsch van Beijnum wrote:

> Unless I was really sleep-typing I didn't say anything about IPsec,
> just about "crypto", which as far as I'm concerned includes MD5,
> which we were talking about.

Ah, ok. I thought you were referring specifically to MD5.

> As Crist Clark just pointed out: the presence of the SPI and replay
> counter actually makes it harder to do a crypto DoS against IPsec
> than the TCP MD5 option (assuming the traffic can't be sniffed).

Aye, IPSec should be slightly harder to attack.
 
> Another advantage of IPsec is that it allows for key changes in a
> sane way. I'm not sure I'd want my routers to run IKE, though.

:)
 
> However, note that even a relatively light-weight check such as an
> HMAC-MD5 can blow away a typical router CPU at orders of magnitude
> below line rate, so it is essential that attackers don't get to
> bypass the non-crypto checks for than a tiny fraction of the
> packets they spoof.

True. Six of one, half-dozen of the other really. If your peering
sessions are that important though, you can easily afford the crypto
accelerator board, or otherwise decent router (eg a J) wrt CPU power.

regards,
-- 
Paul Jakma      paul () clubi ie        paul () jakma org       Key ID: 64A2FF6A
        warning: do not ever send email to spam () dishone st
Fortune:
Only great masters of style can succeed in being obtuse.
                -- Oscar Wilde

Most UNIX programmers are great masters of style.
                -- The Unnamed Usenetter