North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: key change for TCP-MD5

  • From: Barry Greene (bgreene)
  • Date: Sat Jun 24 05:53:35 2006
  • Authentication-results:; [email protected]; dkim=pass (sig from verified; );
  • Dkim-signature: a=rsa-sha1; q=dns; l=1440; t=1151142718; x=1152006718;c=relaxed/simple; s=sjdkim3001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;; [email protected]; z=From:=22Barry=20Greene=20\(bgreene\)=22=20<[email protected]>|Subject:RE=3A=20key=20change=20for=20TCP-MD5;; b=I5tg/ot+l70pz2aK8qxFiuxUy9AkmypYrm+uRhY2xE6MiaiDWZzPDUc7/srSezS0SLudaDeaE5QLgUjpQzoLbg/csRq6Ilz4iWEW7HH5MjVjDyJuE0/EVZj37WK1AS5N;

This "RFC1918 for control plane/management plane" technique is
vulnerable to a TCP reflection attack. The miscreants know about it. So
the assumption that the chance of a RFC 1918 packet reaching your router
being "zero" is not something an you should assume.

> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On 
> Behalf Of Iljitsch van Beijnum
> Sent: Friday, June 23, 2006 4:18 PM
> To: Owen DeLong
> Cc: NANOG list
> Subject: Re: key change for TCP-MD5
> On 24-jun-2006, at 0:43, Owen DeLong wrote:
> > Why couldn't the network device do an AH check in hardware before 
> > passing the packet to the receive path?  If you can get to a point 
> > where all connections or traffic TO the router should be AH, then, 
> > that will help with DOS.
> If you care that much, why don't you just add an extra 
> loopback address, give it an RFC 1918 address, have your peer 
> talk BGP towards that address and filter all packets towards 
> the actual interface address of the router?
> The chance of an attacker sending an RFC 1918 packet that 
> ends up at your router is close to zero and even though the 
> interface address still shows up in traceroutes etc it is 
> bullet proof because of the filters.
> (This works even better with IPv6 link local addresses, those 
> are guaranteed to be unroutable.)