North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: key change for TCP-MD5
>>>> The added cost for CPU-bound systems is that they have to try >>>> (potentially) multiple keys before getting the **right** key >>>> but in real life this can be easily mitigated by having a rating >>>> system on the key based on the frequency of success. >>> This mitigates the effect of authenticating valid packets. However, >>> this does not appear to help at all in terms of minimizing the DOS >>> effect of an intentional DoS attack that uses authenticated packets >>> (with the processing time required to check the keys the intended >>> damage of the attack). >> gstm > this doesn't help if the vendor can't implement it > correctly and does the md5 calc before checking the ttl :( hard to imagine anything that will help such a vendor randy
|