key change for TCP-MD5
Patrick W. Gilmore
patrick at ianai.net
Fri Jun 23 23:34:40 UTC 2006
On Jun 23, 2006, at 7:17 PM, Iljitsch van Beijnum wrote:
> On 24-jun-2006, at 0:43, Owen DeLong wrote:
>
>> Why couldn't the network device do an AH check in hardware before
>> passing
>> the
>> packet to the receive path? If you can get to a point where all
>> connections
>> or traffic TO the router should be AH, then, that will help with DOS.
>
> If you care that much, why don't you just add an extra loopback
> address, give it an RFC 1918 address, have your peer talk BGP
> towards that address and filter all packets towards the actual
> interface address of the router?
>
> The chance of an attacker sending an RFC 1918 packet that ends up
> at your router is close to zero and even though the interface
> address still shows up in traceroutes etc it is bullet proof
> because of the filters.
Why is this better than using the TTL hack? Which is easier to
configure, and at least as secure.
--
TTFN,
patrick
More information about the NANOG
mailing list