[69960] in North American Network Operators' Group
Re: TCP/BGP vulnerability - easier than you think
daemon@ATHENA.MIT.EDU (Crist Clark)
Thu Apr 22 13:02:18 2004
Date: Thu, 22 Apr 2004 10:01:17 -0700
From: Crist Clark <crist.clark@globalstar.com>
In-reply-to:
<1BAD86FA20172C449C56A8E5D51977AB1E2BC1@pimel-mx1.ozpacnet.office.pacific.net.au>
To: David Luyer <david@luyer.net>
Cc: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
David Luyer wrote:
[snip]
> With ipsec, you have crypto overhead before you have any opportunity
> to do the basic sanity check.
Minor point, but with IPsec, the 32-bit SPI and the 32-bit replay counter
are very low cost ways to drop the majority of traffic from a flood of
random junk with no crypto calculations. You actually have more bits
with AH or ESP than with TCP. The 32-bit SPI must be an exact match
like the two 16-bit port fields, and you have 32-bits of sequence number
in both, but the TCP window is much larger than the IPsec window (usually
6-bit by default) leaving you more bits to check.
--
Crist J. Clark crist.clark@globalstar.com
Globalstar Communications (408) 933-4387
