nanog mailing list archives

RE: key change for TCP-MD5

From: Randy Bush <randy () psg com>
Date: Tue, 20 Jun 2006 17:18:20 -0700

The added cost for CPU-bound systems is that they have to try
(potentially) multiple keys before getting the **right** key
but in real life this can be easily mitigated by having a rating
system on the key based on the frequency of success.


This mitigates the effect of authenticating valid packets. However,
this does not appear to help at all in terms of minimizing the DOS
effect of an intentional DoS attack that uses authenticated packets
(with the processing time required to check the keys the intended
damage of the attack).


gstm

Current thread:

Re: key change for TCP-MD5, (continued)
- - - Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 20)
    - Re: key change for TCP-MD5 Crist Clark (Jun 20)
    - Re: key change for TCP-MD5 Valdis . Kletnieks (Jun 20)
  - RE: key change for TCP-MD5 Randy Bush (Jun 20)
- RE: key change for TCP-MD5 Ross Callon (Jun 20)
  - Re: key change for TCP-MD5 Richard A Steenbergen (Jun 20)
    - Re: key change for TCP-MD5 Warren Kumari (Jun 20)
    - Re: key change for TCP-MD5 Randy Bush (Jun 20)
    - Re: key change for TCP-MD5 Ross Callon (Jun 21)
    - Re: key change for TCP-MD5 David Barak (Jun 21)
  - RE: key change for TCP-MD5 Randy Bush (Jun 20)
    - Re: key change for TCP-MD5 Jared Mauch (Jun 21)
    - Re: key change for TCP-MD5 Randy Bush (Jun 21)
  - Re: key change for TCP-MD5 Steven M. Bellovin (Jun 26)
- RE: key change for TCP-MD5 Bora Akyol (Jun 20)
- RE: key change for TCP-MD5 Ross Callon (Jun 21)
  - RE: key change for TCP-MD5 Randy Bush (Jun 21)
  - Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 21)
    - Re: key change for TCP-MD5 Niels Bakker (Jun 25)
    - Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 26)
- RE: key change for TCP-MD5 Bora Akyol (Jun 21)

(Thread continues...)