North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: TCP/BGP vulnerability - easier than you think
On Thu, 22 Apr 2004, Iljitsch van Beijnum wrote: > Unless I was really sleep-typing I didn't say anything about IPsec, > just about "crypto", which as far as I'm concerned includes MD5, > which we were talking about. Ah, ok. I thought you were referring specifically to MD5. > As Crist Clark just pointed out: the presence of the SPI and replay > counter actually makes it harder to do a crypto DoS against IPsec > than the TCP MD5 option (assuming the traffic can't be sniffed). Aye, IPSec should be slightly harder to attack. > Another advantage of IPsec is that it allows for key changes in a > sane way. I'm not sure I'd want my routers to run IKE, though. :) > However, note that even a relatively light-weight check such as an > HMAC-MD5 can blow away a typical router CPU at orders of magnitude > below line rate, so it is essential that attackers don't get to > bypass the non-crypto checks for than a tiny fraction of the > packets they spoof. True. Six of one, half-dozen of the other really. If your peering sessions are that important though, you can easily afford the crypto accelerator board, or otherwise decent router (eg a J) wrt CPU power. regards, -- Paul Jakma [email protected] [email protected] Key ID: 64A2FF6A warning: do not ever send email to [email protected] Fortune: Only great masters of style can succeed in being obtuse. -- Oscar Wilde Most UNIX programmers are great masters of style. -- The Unnamed Usenetter
|