key change for TCP-MD5

Patrick W. Gilmore patrick at ianai.net
Fri Jun 23 23:34:40 UTC 2006


On Jun 23, 2006, at 7:17 PM, Iljitsch van Beijnum wrote:
> On 24-jun-2006, at 0:43, Owen DeLong wrote:
>
>> Why couldn't the network device do an AH check in hardware before  
>> passing
>> the
>> packet to the receive path?  If you can get to a point where all  
>> connections
>> or traffic TO the router should be AH, then, that will help with DOS.
>
> If you care that much, why don't you just add an extra loopback  
> address, give it an RFC 1918 address, have your peer talk BGP  
> towards that address and filter all packets towards the actual  
> interface address of the router?
>
> The chance of an attacker sending an RFC 1918 packet that ends up  
> at your router is close to zero and even though the interface  
> address still shows up in traceroutes etc it is bullet proof  
> because of the filters.

Why is this better than using the TTL hack?  Which is easier to  
configure, and at least as secure.

-- 
TTFN,
patrick



More information about the NANOG mailing list