North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: key change for TCP-MD5
On Tue, Jun 20, 2006 at 05:18:20PM -0700, Randy Bush wrote: > > >> The added cost for CPU-bound systems is that they have to try > >> (potentially) multiple keys before getting the **right** key > >> but in real life this can be easily mitigated by having a rating > >> system on the key based on the frequency of success. > > > > This mitigates the effect of authenticating valid packets. However, > > this does not appear to help at all in terms of minimizing the DOS > > effect of an intentional DoS attack that uses authenticated packets > > (with the processing time required to check the keys the intended > > damage of the attack). > > gstm this doesn't help if the vendor can't implement it correctly and does the md5 calc before checking the ttl :( - jared -- Jared Mauch | pgp key available via finger from [email protected] clue++; | http://puck.nether.net/~jared/ My statements are only mine.