North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: key change for TCP-MD5

  • From: Richard A Steenbergen
  • Date: Fri Jun 23 17:12:09 2006

On Fri, Jun 23, 2006 at 05:01:00PM -0400, Richard A Steenbergen wrote:
> Obviously in a perfect world, you don't want to do the expensive MD5 check 
> anywhere sooner than the last possible moment before you declare the data 
> valid and add it to the socket buffer. I assume that the reason they can't 
> do the check sooner in software is they lack a mechanism to tell the IP or 
> even TCP input code "we want to discard these packets if they are less 
> than TTL x". They probably can't make that decision until the packet gets 
> validated by TCP and makes it all the way to BGP code.

Actually I take that back, it should be easy enough to configure a minimum 
TTL requirement on the TCB through a socket interface. Obviously they're 
doing something to pass the IP TTL data outside of its normal in_input() 
function (or whatever passes for such on IOS), so if you've got that data 
avilable in the tcp_input() code you should be able to do the check after 
you find your TCB but before the MD5 check, yes?

Since there hasn't been an IOS source code leak in a while, does someone 
from Cisco who actually knows how this is implemented want to comment so 
we can stop guessing? :)

Richard A Steenbergen <[email protected]>
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)