[69996] in North American Network Operators' Group
Re: TCP/BGP vulnerability - easier than you think
daemon@ATHENA.MIT.EDU (Paul Jakma)
Fri Apr 23 18:06:09 2004
Date: Fri, 23 Apr 2004 23:04:55 +0100 (IST)
From: Paul Jakma <paul@clubi.ie>
To: Iljitsch van Beijnum <iljitsch@muada.com>
Cc: nanog@merit.edu
In-Reply-To: <AB301AEC-9483-11D8-B78B-000A95CD987A@muada.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 22 Apr 2004, Iljitsch van Beijnum wrote:
> Unless I was really sleep-typing I didn't say anything about IPsec,
> just about "crypto", which as far as I'm concerned includes MD5,
> which we were talking about.
Ah, ok. I thought you were referring specifically to MD5.
> As Crist Clark just pointed out: the presence of the SPI and replay
> counter actually makes it harder to do a crypto DoS against IPsec
> than the TCP MD5 option (assuming the traffic can't be sniffed).
Aye, IPSec should be slightly harder to attack.
> Another advantage of IPsec is that it allows for key changes in a
> sane way. I'm not sure I'd want my routers to run IKE, though.
:)
> However, note that even a relatively light-weight check such as an
> HMAC-MD5 can blow away a typical router CPU at orders of magnitude
> below line rate, so it is essential that attackers don't get to
> bypass the non-crypto checks for than a tiny fraction of the
> packets they spoof.
True. Six of one, half-dozen of the other really. If your peering
sessions are that important though, you can easily afford the crypto
accelerator board, or otherwise decent router (eg a J) wrt CPU power.
regards,
--
Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A
warning: do not ever send email to spam@dishone.st
Fortune:
Only great masters of style can succeed in being obtuse.
-- Oscar Wilde
Most UNIX programmers are great masters of style.
-- The Unnamed Usenetter
