|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: key change for TCP-MD5
On Fri, Jun 23, 2006 at 11:49:33AM -0700, Barry Greene (bgreene) wrote: > > Yes Jared - our software does the TTL after the MD5, but the hardware > implementations does the check in hardware before the packet gets punted > to the receive path. That is exactly where you need to do the > classification to minimize DOS on a router - as close to the point where > the optical-electrical-airwaves convert to a IP packet as possible. i'm not that bright, so maybe i'm missing something, but i've heard this claim from cisco people before and never understood it. just to clarify: you're saying that doing the (expensive) md5 check before the (almost free) ttl check makes sense because that *minimizes* the DOS vectors against a router? can someone walk me through the logic here using small words? i am obviously not able to follow this due to my distance from the "optical-electrical-airwaves". t. -- _____________________________________________________________________ todd underwood +1 603 643 9300 x101 renesys corporation chief of operations & security [email protected] http://www.renesys.com/blog/todd.shtml
|