TCP/BGP vulnerability - easier than you think

• Previous message (by thread): asymmetric/peer RPF [RE: TCP/BGP vulnerability - easier than you think]
• Next message (by thread): Massive stupidity (Was: Re: TCP vulnerability)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David Luyer wrote:
[snip]

> With ipsec, you have crypto overhead before you have any opportunity
> to do the basic sanity check.

Minor point, but with IPsec, the 32-bit SPI and the 32-bit replay counter
are very low cost ways to drop the majority of traffic from a flood of
random junk with no crypto calculations. You actually have more bits
with AH or ESP than with TCP. The 32-bit SPI must be an exact match
like the two 16-bit port fields, and you have 32-bits of sequence number
in both, but the TCP window is much larger than the IPsec window (usually
6-bit by default) leaving you more bits to check.
-- 
Crist J. Clark                               crist.clark at globalstar.com
Globalstar Communications                                (408) 933-4387

• Previous message (by thread): asymmetric/peer RPF [RE: TCP/BGP vulnerability - easier than you think]
• Next message (by thread): Massive stupidity (Was: Re: TCP vulnerability)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]