key change for TCP-MD5

Barry Greene (bgreene) bgreene at cisco.com
Sat Jun 24 09:51:57 UTC 2006



This "RFC1918 for control plane/management plane" technique is
vulnerable to a TCP reflection attack. The miscreants know about it. So
the assumption that the chance of a RFC 1918 packet reaching your router
being "zero" is not something an you should assume.

> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On 
> Behalf Of Iljitsch van Beijnum
> Sent: Friday, June 23, 2006 4:18 PM
> To: Owen DeLong
> Cc: NANOG list
> Subject: Re: key change for TCP-MD5
> 
> 
> On 24-jun-2006, at 0:43, Owen DeLong wrote:
> 
> > Why couldn't the network device do an AH check in hardware before 
> > passing the packet to the receive path?  If you can get to a point 
> > where all connections or traffic TO the router should be AH, then, 
> > that will help with DOS.
> 
> If you care that much, why don't you just add an extra 
> loopback address, give it an RFC 1918 address, have your peer 
> talk BGP towards that address and filter all packets towards 
> the actual interface address of the router?
> 
> The chance of an attacker sending an RFC 1918 packet that 
> ends up at your router is close to zero and even though the 
> interface address still shows up in traceroutes etc it is 
> bullet proof because of the filters.
> 
> (This works even better with IPv6 link local addresses, those 
> are guaranteed to be unroutable.)
> 



More information about the NANOG mailing list