North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: key change for TCP-MD5

  • From: Roland Dobbins
  • Date: Fri Jun 23 18:06:54 2006
  • Authentication-results:; [email protected]; dkim=pass (sig from verified; );
  • Dkim-signature: a=rsa-sha1; q=dns; l=807; t=1151100345; x=1151964345;c=relaxed/simple; s=sjdkim8001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;; [email protected]; z=From:Roland=20Dobbins=20<[email protected]>|Subject:Re=3A=20key=20change=20for=20TCP-MD5;; b=WMpHaWnx7V3CZE3MvZa/xMDQGbG4//ie3p2Jv5zTput5fS9BWdOUw+2vaIe9JjuN29Odt8dc10ctXK3m8VlB82G3V8AyzwyUgOBLuW8AFYFRZvvxXISFQXhkrU1HcGny;

On Jun 23, 2006, at 2:02 PM, Bora Akyol wrote:

If your IPSEC is being done in hardware and you have appropriate QoS
mechanisms in your network, you will probably not be able to pass your best effort
traffic but the rest should be OK.
Unless the DoS is within the IPSEC tunnel and crowds out the good traffic.


Your original post seemed to imply that IPSEC is an anti-DoS mechanism, as does the statement 'If you pay attention to detail, it does help.' IPSEC is not an anti-DoS mechanism at all, it's important to be clear about that.

Roland Dobbins <[email protected]> // 408.527.6376 voice

Everything has been said. But nobody listens.

-- Roger Shattuck