key change for TCP-MD5

• Previous message (by thread): key change for TCP-MD5
• Next message (by thread): key change for TCP-MD5
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 07:29 PM 6/20/2006 -0400, Richard A Steenbergen wrote:
>On Tue, Jun 20, 2006 at 05:06:27PM -0400, Ross Callon wrote:
>...I'd still like someone to explain why we're wasting man hours, CPU time,
>filling up our router logs, and potentially making DoS easier, for an
>attack that doesn't exist....

I think that it does make sense to be clear what attack
or set of attacks we are trying to protect against.

One type of attack is the TCP reset attack. I personally don't
have a strong opinion regarding whether it is worth protecting
against only this attack.

Another potential attack is an attempt to insert information
into a BGP session, such as to introduce bogus routes, or
to even become a "man in the middle" of a BGP session. One
issue that worries me about this is that if this allows routing to
be compromised, then I can figure out how to make money off
of this (and if I can think of it, someone even nastier will probably
also think of this). Of course this would be much more difficult to
pull off, and might require viewing packets between routers to pull
off, but if pulled off and not quickly detected could be unfortunate.

Ross

• Previous message (by thread): key change for TCP-MD5
• Next message (by thread): key change for TCP-MD5
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]