|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: key change for TCP-MD5
This "RFC1918 for control plane/management plane" technique is vulnerable to a TCP reflection attack. The miscreants know about it. So the assumption that the chance of a RFC 1918 packet reaching your router being "zero" is not something an you should assume. > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Iljitsch van Beijnum > Sent: Friday, June 23, 2006 4:18 PM > To: Owen DeLong > Cc: NANOG list > Subject: Re: key change for TCP-MD5 > > > On 24-jun-2006, at 0:43, Owen DeLong wrote: > > > Why couldn't the network device do an AH check in hardware before > > passing the packet to the receive path? If you can get to a point > > where all connections or traffic TO the router should be AH, then, > > that will help with DOS. > > If you care that much, why don't you just add an extra > loopback address, give it an RFC 1918 address, have your peer > talk BGP towards that address and filter all packets towards > the actual interface address of the router? > > The chance of an attacker sending an RFC 1918 packet that > ends up at your router is close to zero and even though the > interface address still shows up in traceroutes etc it is > bullet proof because of the filters. > > (This works even better with IPv6 link local addresses, those > are guaranteed to be unroutable.) >
|