[70400] in North American Network Operators' Group
Re: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure
daemon@ATHENA.MIT.EDU (Patrick W.Gilmore)
Thu May 13 14:06:31 2004
In-Reply-To: <20040513174827.7CDA07B46@berkshire.research.att.com>
Cc: Patrick W.Gilmore <patrick@ianai.net>
From: Patrick W.Gilmore <patrick@ianai.net>
Date: Thu, 13 May 2004 14:05:47 -0400
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
On May 13, 2004, at 1:48 PM, Steven M. Bellovin wrote:
> In message <Pine.NEB.4.58.0405122134560.9034@server.duh.org>, Todd
> Vierling wri
> tes:
>>
>> On Tue, 11 May 2004, David Krause wrote:
>>
>> : http://www.ietf.org/ietf/IPR/cisco-ipr-draft-ietf-tcpm-tcpsecure.txt
>>
>> The same document that fully ignores that port number randomness will
>> severely limit the risk of susceptibility to such an attack?
>
> How many zombies would it take to search the port number space
> exhaustively?
Irrelevant.
The limiting factor here is how many packets can make it to the CPU.
Using 10K pps as a nice round (and high) figure, a single machine can
do that.
Also, many of the calculations I've seen assume much higher pps when
calculating time to reset a session. Has anyone done a test to see
what a Juniper M5/10/whatever and a GSR can actually take without
dropping packets due to rate limiting and/or falling over from being
packeted?
--
TTFN,
patrick
