TCP/BGP vulnerability - easier than you think
Paul Jakma
paul at clubi.ie
Fri Apr 23 22:04:55 UTC 2004
On Thu, 22 Apr 2004, Iljitsch van Beijnum wrote:
> Unless I was really sleep-typing I didn't say anything about IPsec,
> just about "crypto", which as far as I'm concerned includes MD5,
> which we were talking about.
Ah, ok. I thought you were referring specifically to MD5.
> As Crist Clark just pointed out: the presence of the SPI and replay
> counter actually makes it harder to do a crypto DoS against IPsec
> than the TCP MD5 option (assuming the traffic can't be sniffed).
Aye, IPSec should be slightly harder to attack.
> Another advantage of IPsec is that it allows for key changes in a
> sane way. I'm not sure I'd want my routers to run IKE, though.
:)
> However, note that even a relatively light-weight check such as an
> HMAC-MD5 can blow away a typical router CPU at orders of magnitude
> below line rate, so it is essential that attackers don't get to
> bypass the non-crypto checks for than a tiny fraction of the
> packets they spoof.
True. Six of one, half-dozen of the other really. If your peering
sessions are that important though, you can easily afford the crypto
accelerator board, or otherwise decent router (eg a J) wrt CPU power.
regards,
--
Paul Jakma paul at clubi.ie paul at jakma.org Key ID: 64A2FF6A
warning: do not ever send email to spam at dishone.st
Fortune:
Only great masters of style can succeed in being obtuse.
-- Oscar Wilde
Most UNIX programmers are great masters of style.
-- The Unnamed Usenetter
More information about the NANOG
mailing list