[90997] in North American Network Operators' Group
Re: key change for TCP-MD5
daemon@ATHENA.MIT.EDU (Todd Underwood)
Fri Jun 23 16:43:57 2006
Date: Fri, 23 Jun 2006 16:43:29 -0400
From: Todd Underwood <todd-nanog@renesys.com>
To: nanog@merit.edu
In-Reply-To: <C35ADD020AEBD04383C1F7F644227FDF01F45953@xmb-sjc-227.amer.cisco.com>
Errors-To: owner-nanog@merit.edu
On Fri, Jun 23, 2006 at 11:49:33AM -0700, Barry Greene (bgreene) wrote:
>
> Yes Jared - our software does the TTL after the MD5, but the hardware
> implementations does the check in hardware before the packet gets punted
> to the receive path. That is exactly where you need to do the
> classification to minimize DOS on a router - as close to the point where
> the optical-electrical-airwaves convert to a IP packet as possible.
i'm not that bright, so maybe i'm missing something, but i've heard
this claim from cisco people before and never understood it.
just to clarify: you're saying that doing the (expensive) md5 check
before the (almost free) ttl check makes sense because that
*minimizes* the DOS vectors against a router? can someone walk me
through the logic here using small words? i am obviously not able to
follow this due to my distance from the
"optical-electrical-airwaves".
t.
--
_____________________________________________________________________
todd underwood +1 603 643 9300 x101
renesys corporation chief of operations & security
todd@renesys.com http://www.renesys.com/blog/todd.shtml
