North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: key change for TCP-MD5

  • From: Richard A Steenbergen
  • Date: Tue Jun 20 19:30:55 2006

On Tue, Jun 20, 2006 at 05:06:27PM -0400, Ross Callon wrote:
> DoS against routers is of course a major concern. Using
> encryption has the potential of making DoS worse, in the
> sense that the amount of processing that a bogus packet
> can cause is increased by the amount of processing
> needed to check the authentication. If the router needs to
> check multiple keys in the keychain before declaring the
> segment as invalid, then this multiplies the effect of the
> DOS by the number of keys that need to be checked.

I'd still like someone to explain why we're wasting man hours, CPU time, 
filling up our router logs, and potentially making DoS easier, for an 
attack that doesn't exist. After that, I'd like them to explain why we 
need to devote more resources to protecting against the attack that 
already doesn't exist, and that is already protected against just fine 
even if it were to exist.

Of course any not completely insane implementation should be checking for 
a valid TCP window range (or an existing TCB for that matter) before 
wasting CPU time on an MD5 calculation. It's just not possible in reality 
for any sufficiently large number of packets to get through those check to 
then be affected by an MD5 DoS (unless of course you're peering with 7018, 
and the NSA has an extra copy of your packets laying around).

We already collectively wasted our time deploying MD5 passwords over a big 
scare that turned out to be nothing more than someone cracking open the 
manual and rediscovering how stuff worked all along. Why don't we spend 
our time going forward solving actual issues like filtering/announcement 
authentication, and stop trying to solve the non-existant problems.

Richard A Steenbergen <[email protected]>
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)