key change for TCP-MD5
Barry Greene (bgreene)
bgreene at cisco.com
Sat Jun 24 09:51:57 UTC 2006
This "RFC1918 for control plane/management plane" technique is
vulnerable to a TCP reflection attack. The miscreants know about it. So
the assumption that the chance of a RFC 1918 packet reaching your router
being "zero" is not something an you should assume.
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On
> Behalf Of Iljitsch van Beijnum
> Sent: Friday, June 23, 2006 4:18 PM
> To: Owen DeLong
> Cc: NANOG list
> Subject: Re: key change for TCP-MD5
>
>
> On 24-jun-2006, at 0:43, Owen DeLong wrote:
>
> > Why couldn't the network device do an AH check in hardware before
> > passing the packet to the receive path? If you can get to a point
> > where all connections or traffic TO the router should be AH, then,
> > that will help with DOS.
>
> If you care that much, why don't you just add an extra
> loopback address, give it an RFC 1918 address, have your peer
> talk BGP towards that address and filter all packets towards
> the actual interface address of the router?
>
> The chance of an attacker sending an RFC 1918 packet that
> ends up at your router is close to zero and even though the
> interface address still shows up in traceroutes etc it is
> bullet proof because of the filters.
>
> (This works even better with IPv6 link local addresses, those
> are guaranteed to be unroutable.)
>
More information about the NANOG
mailing list