nanog mailing list archives
Re: key change for TCP-MD5
From: Niels Bakker <niels=nanog () bakker net>
Date: Mon, 26 Jun 2006 02:06:08 +0200
* iljitsch () muada com (Iljitsch van Beijnum) [Wed 21 Jun 2006, 19:05 CEST]:
The reason IPsec helps against a DoS against the CPU is that it has an anti replay counter. IPsec implementations are supposed to maintain a window, not unlike a TCP window, that allows them to reject packets with an anti replay counter that's too far behind or ahead of the last seen packets. So in order to make a packet reach the CPU an attacker has to observe or guess an acceptable value for the anti replay counter.
Actually, no. In a router you can easily filter away all IP packets not destined to port 25 to a certain host (for, say, a mail server). However, if those packets are IPsec encrypted, these TCP headers are unavailable to routers in the path. I do not expect a complete IPsec
implementation in the filtering engines of routers, nor that they beable to keep track of window sizes in specific conversations (after all, they don't get to see RST packets either).
Web servers generally do not come with hardware-based filtering capabilities to protect "the CPU."
-- Niels.
Current thread:
- Re: key change for TCP-MD5, (continued)
- Re: key change for TCP-MD5 Ross Callon (Jun 21)
- Re: key change for TCP-MD5 David Barak (Jun 21)
- RE: key change for TCP-MD5 Randy Bush (Jun 20)
- Re: key change for TCP-MD5 Jared Mauch (Jun 21)
- Re: key change for TCP-MD5 Randy Bush (Jun 21)
- Re: key change for TCP-MD5 Steven M. Bellovin (Jun 26)
- RE: key change for TCP-MD5 Randy Bush (Jun 21)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 21)
- Re: key change for TCP-MD5 Niels Bakker (Jun 25)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 26)
- RE: key change for TCP-MD5 Randy Bush (Jun 21)
- Re: key change for TCP-MD5 Richard A Steenbergen (Jun 21)
- backbone threats [Re: key change for TCP-MD5] Pekka Savola (Jun 26)
- Re: key change for TCP-MD5 Todd Underwood (Jun 23)
- Re: key change for TCP-MD5 Richard A Steenbergen (Jun 23)
- Re: key change for TCP-MD5 Richard A Steenbergen (Jun 23)