key change for TCP-MD5

• Previous message (by thread): key change for TCP-MD5
• Next message (by thread): key change for TCP-MD5
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* iljitsch at muada.com (Iljitsch van Beijnum) [Wed 21 Jun 2006, 19:05 CEST]:
>The reason IPsec helps against a DoS against the CPU is that it has 
>an anti replay counter. IPsec implementations are supposed to 
>maintain a window, not unlike a TCP window, that allows them to 
>reject packets with an anti replay counter that's too far behind or 
>ahead of the last seen packets. So in order to make a packet reach 
>the CPU an attacker has to observe or guess an acceptable value for 
>the anti replay counter.

Actually, no.  In a router you can easily filter away all IP packets not 
destined to port 25 to a certain host (for, say, a mail server). 
However, if those packets are IPsec encrypted, these TCP headers are 
unavailable to routers in the path.  I do not expect a complete IPsec
implementation in the filtering engines of routers, nor that they be
able to keep track of window sizes in specific conversations (after all, 
they don't get to see RST packets either).

Web servers generally do not come with hardware-based filtering 
capabilities to protect "the CPU."


	-- Niels.

• Previous message (by thread): key change for TCP-MD5
• Next message (by thread): key change for TCP-MD5
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]