key change for TCP-MD5

• Previous message (by thread): key change for TCP-MD5
• Next message (by thread): key change for TCP-MD5
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jun 23, 2006 at 05:01:00PM -0400, Richard A Steenbergen wrote:
> 
> Obviously in a perfect world, you don't want to do the expensive MD5 check 
> anywhere sooner than the last possible moment before you declare the data 
> valid and add it to the socket buffer. I assume that the reason they can't 
> do the check sooner in software is they lack a mechanism to tell the IP or 
> even TCP input code "we want to discard these packets if they are less 
> than TTL x". They probably can't make that decision until the packet gets 
> validated by TCP and makes it all the way to BGP code.

Actually I take that back, it should be easy enough to configure a minimum 
TTL requirement on the TCB through a socket interface. Obviously they're 
doing something to pass the IP TTL data outside of its normal in_input() 
function (or whatever passes for such on IOS), so if you've got that data 
avilable in the tcp_input() code you should be able to do the check after 
you find your TCB but before the MD5 check, yes?

Since there hasn't been an IOS source code leak in a while, does someone 
from Cisco who actually knows how this is implemented want to comment so 
we can stop guessing? :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

• Previous message (by thread): key change for TCP-MD5
• Next message (by thread): key change for TCP-MD5
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]