nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: key change for TCP-MD5

From: Todd Underwood <todd-nanog () renesys com>
Date: Fri, 23 Jun 2006 16:43:29 -0400



On Fri, Jun 23, 2006 at 11:49:33AM -0700, Barry Greene (bgreene) wrote:


Yes Jared - our software does the TTL after the MD5, but the hardware
implementations does the check in hardware before the packet gets punted
to the receive path. That is exactly where you need to do the
classification to minimize DOS on a router - as close to the point where
the optical-electrical-airwaves convert to a IP packet as possible.


i'm not that bright, so maybe i'm missing something, but i've heard
this claim from cisco people before and never understood it.

just to clarify:  you're saying that doing the (expensive) md5 check
before the (almost free) ttl check makes sense because that
*minimizes* the DOS vectors against a router?  can someone walk me
through the logic here using small words?  i am obviously not able to
follow this due to my distance from the
"optical-electrical-airwaves". 

t.


-- 
_____________________________________________________________________
todd underwood                                 +1 603 643 9300 x101
renesys corporation                            chief of operations & security 
todd () renesys com                               http://www.renesys.com/blog/todd.shtml
Previous By Date Next
Previous By Thread Next

Current thread: