North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: key change for TCP-MD5

  • From: Todd Underwood
  • Date: Fri Jun 23 16:44:33 2006

On Fri, Jun 23, 2006 at 11:49:33AM -0700, Barry Greene (bgreene) wrote:
> Yes Jared - our software does the TTL after the MD5, but the hardware
> implementations does the check in hardware before the packet gets punted
> to the receive path. That is exactly where you need to do the
> classification to minimize DOS on a router - as close to the point where
> the optical-electrical-airwaves convert to a IP packet as possible.

i'm not that bright, so maybe i'm missing something, but i've heard
this claim from cisco people before and never understood it.

just to clarify:  you're saying that doing the (expensive) md5 check
before the (almost free) ttl check makes sense because that
*minimizes* the DOS vectors against a router?  can someone walk me
through the logic here using small words?  i am obviously not able to
follow this due to my distance from the


todd underwood                                 +1 603 643 9300 x101
renesys corporation                            chief of operations & security 
[email protected]