key change for TCP-MD5
Richard A Steenbergen
ras at e-gerbil.net
Fri Jun 23 21:10:59 UTC 2006
On Fri, Jun 23, 2006 at 05:01:00PM -0400, Richard A Steenbergen wrote:
>
> Obviously in a perfect world, you don't want to do the expensive MD5 check
> anywhere sooner than the last possible moment before you declare the data
> valid and add it to the socket buffer. I assume that the reason they can't
> do the check sooner in software is they lack a mechanism to tell the IP or
> even TCP input code "we want to discard these packets if they are less
> than TTL x". They probably can't make that decision until the packet gets
> validated by TCP and makes it all the way to BGP code.
Actually I take that back, it should be easy enough to configure a minimum
TTL requirement on the TCB through a socket interface. Obviously they're
doing something to pass the IP TTL data outside of its normal in_input()
function (or whatever passes for such on IOS), so if you've got that data
avilable in the tcp_input() code you should be able to do the check after
you find your TCB but before the MD5 check, yes?
Since there hasn't been an IOS source code leak in a while, does someone
from Cisco who actually knows how this is implemented want to comment so
we can stop guessing? :)
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the NANOG
mailing list