[90929] in North American Network Operators' Group
Re: key change for TCP-MD5
daemon@ATHENA.MIT.EDU (Randy Bush)
Wed Jun 21 10:32:54 2006
From: Randy Bush <randy@psg.com>
Date: Wed, 21 Jun 2006 07:32:16 -0700
To: Jared Mauch <jared@puck.nether.net>
Cc: Ross Callon <rcallon@juniper.net>,
Bora Akyol <bora@broadcom.com>, nanog@merit.edu
Errors-To: owner-nanog@merit.edu
>>>> The added cost for CPU-bound systems is that they have to try
>>>> (potentially) multiple keys before getting the **right** key
>>>> but in real life this can be easily mitigated by having a rating
>>>> system on the key based on the frequency of success.
>>> This mitigates the effect of authenticating valid packets. However,
>>> this does not appear to help at all in terms of minimizing the DOS
>>> effect of an intentional DoS attack that uses authenticated packets
>>> (with the processing time required to check the keys the intended
>>> damage of the attack).
>> gstm
> this doesn't help if the vendor can't implement it
> correctly and does the md5 calc before checking the ttl :(
hard to imagine anything that will help such a vendor
randy
