nanog mailing list archives
Re: key change for TCP-MD5
From: Richard A Steenbergen <ras () e-gerbil net>
Date: Fri, 23 Jun 2006 17:10:59 -0400
On Fri, Jun 23, 2006 at 05:01:00PM -0400, Richard A Steenbergen wrote:
Obviously in a perfect world, you don't want to do the expensive MD5 check anywhere sooner than the last possible moment before you declare the data valid and add it to the socket buffer. I assume that the reason they can't do the check sooner in software is they lack a mechanism to tell the IP or even TCP input code "we want to discard these packets if they are less than TTL x". They probably can't make that decision until the packet gets validated by TCP and makes it all the way to BGP code.
Actually I take that back, it should be easy enough to configure a minimum TTL requirement on the TCB through a socket interface. Obviously they're doing something to pass the IP TTL data outside of its normal in_input() function (or whatever passes for such on IOS), so if you've got that data avilable in the tcp_input() code you should be able to do the check after you find your TCB but before the MD5 check, yes? Since there hasn't been an IOS source code leak in a while, does someone from Cisco who actually knows how this is implemented want to comment so we can stop guessing? :) -- Richard A Steenbergen <ras () e-gerbil net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Current thread:
- Re: key change for TCP-MD5, (continued)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 21)
- Re: key change for TCP-MD5 Niels Bakker (Jun 25)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 26)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 21)
- RE: key change for TCP-MD5 Bora Akyol (Jun 21)
- RE: key change for TCP-MD5 Randy Bush (Jun 21)
- Re: key change for TCP-MD5 Richard A Steenbergen (Jun 21)
- backbone threats [Re: key change for TCP-MD5] Pekka Savola (Jun 26)
- RE: key change for TCP-MD5 Randy Bush (Jun 21)
- Re: key change for TCP-MD5 Todd Underwood (Jun 23)
- Re: key change for TCP-MD5 Richard A Steenbergen (Jun 23)
- Re: key change for TCP-MD5 Richard A Steenbergen (Jun 23)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 23)
- Re: key change for TCP-MD5 Patrick W. Gilmore (Jun 23)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 24)
- Re: key change for TCP-MD5 Valdis . Kletnieks (Jun 23)
- Re: key change for TCP-MD5 Roland Dobbins (Jun 23)