md5 for bgp tcp sessions

• Previous message (by thread): md5 for bgp tcp sessions
• Next message (by thread): md5 for bgp tcp sessions
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 

> my understanding is that md5 is still checked before the 
> ttl-hack check takes place on cisco (and perhaps most router 
> platforms).  new attack vector for less security than you had 
> before.  oh well.  ras:
> can you confirm that it is possible to implement ttl-hack and 
> have it check *before* md5 signature checks?

You do not have a correct understanding of how GPTM is suppose to work.
If you can, you need to do this check as close to the punt out of the
data plane as possible. Optimally in the ASIC (if the ASIC can be coded
to do a TTL check). On Cisco gear we're coding from inside out - doing
GPTM in the routing code (BGP) - then in the receive path wrapper (rACL
and CoPP) - then in the ASIC raw queue (if it can) - then in the ASIC's
receive path primitives. The GPTM was all about dropping the packet
before they got near the route process. 

If you want more details, let me know and I'll send them privately.
 

• Previous message (by thread): md5 for bgp tcp sessions
• Next message (by thread): md5 for bgp tcp sessions
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]