Re: key change for TCP-MD5

• From: Patrick W. Gilmore
• Date: Fri Jun 23 19:35:46 2006

On Jun 23, 2006, at 7:17 PM, Iljitsch van Beijnum wrote:

On 24-jun-2006, at 0:43, Owen DeLong wrote:

Why couldn't the network device do an AH check in hardware before passing
the
packet to the receive path? If you can get to a point where all connections
or traffic TO the router should be AH, then, that will help with DOS.

If you care that much, why don't you just add an extra loopback address, give it an RFC 1918 address, have your peer talk BGP towards that address and filter all packets towards the actual interface address of the router?

The chance of an attacker sending an RFC 1918 packet that ends up at your router is close to zero and even though the interface address still shows up in traceroutes etc it is bullet proof because of the filters.

• Follow-Ups:
  • Re: key change for TCP-MD5 Iljitsch van Beijnum

• References:
  • RE: key change for TCP-MD5 Owen DeLong
  • Re: key change for TCP-MD5 Iljitsch van Beijnum

• Prev by Date: Re: key change for TCP-MD5
• Next by Date: Re: Who wants to be in charge of the Internet today?
• Date Index
• Thread Index
• Author Index
• Historical