nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: key change for TCP-MD5

From: Richard A Steenbergen <ras () e-gerbil net>
Date: Fri, 23 Jun 2006 17:10:59 -0400

On Fri, Jun 23, 2006 at 05:01:00PM -0400, Richard A Steenbergen wrote:


Obviously in a perfect world, you don't want to do the expensive MD5 check 
anywhere sooner than the last possible moment before you declare the data 
valid and add it to the socket buffer. I assume that the reason they can't 
do the check sooner in software is they lack a mechanism to tell the IP or 
even TCP input code "we want to discard these packets if they are less 
than TTL x". They probably can't make that decision until the packet gets 
validated by TCP and makes it all the way to BGP code.


Actually I take that back, it should be easy enough to configure a minimum 
TTL requirement on the TCB through a socket interface. Obviously they're 
doing something to pass the IP TTL data outside of its normal in_input() 
function (or whatever passes for such on IOS), so if you've got that data 
avilable in the tcp_input() code you should be able to do the check after 
you find your TCB but before the MD5 check, yes?

Since there hasn't been an IOS source code leak in a while, does someone 
from Cisco who actually knows how this is implemented want to comment so 
we can stop guessing? :)

-- 
Richard A Steenbergen <ras () e-gerbil net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Previous By Date Next
Previous By Thread Next

Current thread: