key change for TCP-MD5

• Previous message (by thread): key change for TCP-MD5
• Next message (by thread): key change for TCP-MD5
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 26-jun-2006, at 2:06, Niels Bakker wrote:

>> The reason IPsec helps against a DoS against the CPU is that it  
>> has an anti replay counter. IPsec implementations are supposed to  
>> maintain a window, not unlike a TCP window, that allows them to  
>> reject packets with an anti replay counter that's too far behind  
>> or ahead of the last seen packets. So in order to make a packet  
>> reach the CPU an attacker has to observe or guess an acceptable  
>> value for the anti replay counter.

> Actually, no.  In a router you can easily filter away all IP  
> packets not destined to port 25 to a certain host (for, say, a mail  
> server). However, if those packets are IPsec encrypted, these TCP  
> headers are unavailable to routers in the path.

You can't have it both ways: either you encrypt the packet so that  
nobody can look inside it, or you don't and people can.

But we weren't talking about encryption. Or about filtering packets  
that go _through_ a router. What we were talking about was using the  
IPsec authentication on BGP sessions and whether that's better than  
using TCP with MD5 in relation to DoS attacks.

• Previous message (by thread): key change for TCP-MD5
• Next message (by thread): key change for TCP-MD5
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]