North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: key change for TCP-MD5

  • From: Barry Greene (bgreene)
  • Date: Fri Jun 23 14:50:47 2006
  • Authentication-results:; [email protected]; dkim=pass (sig from verified; );
  • Dkim-signature: a=rsa-sha1; q=dns; l=1626; t=1151088574; x=1151952574;c=relaxed/simple; s=sjdkim4001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;; [email protected]; z=From:=22Barry=20Greene=20\(bgreene\)=22=20<[email protected]>|Subject:RE=3A=20key=20change=20for=20TCP-MD5;; b=dZTTacvyoY0KA4wvQEOH3WgZFDOqrwD9d3PKKTrzdEXrq6Df1R4pBNLpr2q8ze07PSuMERVA5VGGellAfB21OAjPvIYSvPgG9uLN9sCMD1k2ewHKZ1I5ek6KFLmU6jeq;


> If DOS is such a large concern, IPSEC to an extent can be 
> used to mitigate against it. And IKEv1/v2 with IPSEC is not 
> the horribly inefficient mechanism it is made out to be. In 
> practice, it is quite easy to use.

IPSEC does nothing to protect a network device from a DOS attack. You
know that.

DOS prevention on a network device needs to happen before the TCP/Packet
termination - not the Key/MD5/IPSEC stage. The signing or encrypting of
the BGP message protects against Man in the Middle and replay attacks -
not DOS attacks. Once a bad packet gets terminated, your DOS stress on
the router kicks in (especially on ASIC/NP routers). The few extra CPU
cycles it takes for walking through keys or IPSEC decrypt are irrelevant
to the router's POV. You SOL if a miscreant can get a packet through
your classification & queuing protections on the router and have it

The key to DOS mitigation on a network device is to have many fields in
the packet to classify as possible before the TCP/Packet termination.
The more you have to classify on, the more granular you can construct
your policy. This is one of the reasons for GTSM - which adds one more
field (the IP packet's TTL) to the classification options. 

Yes Jared - our software does the TTL after the MD5, but the hardware
implementations does the check in hardware before the packet gets punted
to the receive path. That is exactly where you need to do the
classification to minimize DOS on a router - as close to the point where
the optical-electrical-airwaves convert to a IP packet as possible.