TCP/BGP vulnerability - easier than you think

Paul Jakma paul at clubi.ie
Fri Apr 23 22:04:55 UTC 2004


On Thu, 22 Apr 2004, Iljitsch van Beijnum wrote:

> Unless I was really sleep-typing I didn't say anything about IPsec,
> just about "crypto", which as far as I'm concerned includes MD5,
> which we were talking about.

Ah, ok. I thought you were referring specifically to MD5.

> As Crist Clark just pointed out: the presence of the SPI and replay
> counter actually makes it harder to do a crypto DoS against IPsec
> than the TCP MD5 option (assuming the traffic can't be sniffed).

Aye, IPSec should be slightly harder to attack.
 
> Another advantage of IPsec is that it allows for key changes in a
> sane way. I'm not sure I'd want my routers to run IKE, though.

:)
 
> However, note that even a relatively light-weight check such as an
> HMAC-MD5 can blow away a typical router CPU at orders of magnitude
> below line rate, so it is essential that attackers don't get to
> bypass the non-crypto checks for than a tiny fraction of the
> packets they spoof.

True. Six of one, half-dozen of the other really. If your peering
sessions are that important though, you can easily afford the crypto
accelerator board, or otherwise decent router (eg a J) wrt CPU power.

regards,
-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
	warning: do not ever send email to spam at dishone.st
Fortune:
Only great masters of style can succeed in being obtuse.
		-- Oscar Wilde

Most UNIX programmers are great masters of style.
		-- The Unnamed Usenetter



More information about the NANOG mailing list