key change for TCP-MD5
Iljitsch van Beijnum
iljitsch at muada.com
Mon Jun 26 09:54:39 UTC 2006
On 26-jun-2006, at 2:06, Niels Bakker wrote:
>> The reason IPsec helps against a DoS against the CPU is that it
>> has an anti replay counter. IPsec implementations are supposed to
>> maintain a window, not unlike a TCP window, that allows them to
>> reject packets with an anti replay counter that's too far behind
>> or ahead of the last seen packets. So in order to make a packet
>> reach the CPU an attacker has to observe or guess an acceptable
>> value for the anti replay counter.
> Actually, no. In a router you can easily filter away all IP
> packets not destined to port 25 to a certain host (for, say, a mail
> server). However, if those packets are IPsec encrypted, these TCP
> headers are unavailable to routers in the path.
You can't have it both ways: either you encrypt the packet so that
nobody can look inside it, or you don't and people can.
But we weren't talking about encryption. Or about filtering packets
that go _through_ a router. What we were talking about was using the
IPsec authentication on BGP sessions and whether that's better than
using TCP with MD5 in relation to DoS attacks.
More information about the NANOG
mailing list