[90928] in North American Network Operators' Group
Re: key change for TCP-MD5
daemon@ATHENA.MIT.EDU (Jared Mauch)
Wed Jun 21 09:04:24 2006
Date: Wed, 21 Jun 2006 09:03:55 -0400
From: Jared Mauch <jared@puck.nether.net>
To: Randy Bush <randy@psg.com>
Cc: Ross Callon <rcallon@juniper.net>,
Bora Akyol <bora@broadcom.com>, nanog@merit.edu
In-Reply-To: <17560.36940.928458.294560@roam.psg.com>
Errors-To: owner-nanog@merit.edu
On Tue, Jun 20, 2006 at 05:18:20PM -0700, Randy Bush wrote:
>
> >> The added cost for CPU-bound systems is that they have to try
> >> (potentially) multiple keys before getting the **right** key
> >> but in real life this can be easily mitigated by having a rating
> >> system on the key based on the frequency of success.
> >
> > This mitigates the effect of authenticating valid packets. However,
> > this does not appear to help at all in terms of minimizing the DOS
> > effect of an intentional DoS attack that uses authenticated packets
> > (with the processing time required to check the keys the intended
> > damage of the attack).
>
> gstm
this doesn't help if the vendor can't implement it
correctly and does the md5 calc before checking the ttl :(
- jared
--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
