North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: key change for TCP-MD5

  • From: Iljitsch van Beijnum
  • Date: Mon Jun 26 05:55:51 2006

On 26-jun-2006, at 2:06, Niels Bakker wrote:

The reason IPsec helps against a DoS against the CPU is that it has an anti replay counter. IPsec implementations are supposed to maintain a window, not unlike a TCP window, that allows them to reject packets with an anti replay counter that's too far behind or ahead of the last seen packets. So in order to make a packet reach the CPU an attacker has to observe or guess an acceptable value for the anti replay counter.

Actually, no. In a router you can easily filter away all IP packets not destined to port 25 to a certain host (for, say, a mail server). However, if those packets are IPsec encrypted, these TCP headers are unavailable to routers in the path.
You can't have it both ways: either you encrypt the packet so that nobody can look inside it, or you don't and people can.

But we weren't talking about encryption. Or about filtering packets that go _through_ a router. What we were talking about was using the IPsec authentication on BGP sessions and whether that's better than using TCP with MD5 in relation to DoS attacks.