[91001] in North American Network Operators' Group
Re: key change for TCP-MD5
daemon@ATHENA.MIT.EDU (Richard A Steenbergen)
Fri Jun 23 17:11:26 2006
Date: Fri, 23 Jun 2006 17:10:59 -0400
From: Richard A Steenbergen <ras@e-gerbil.net>
To: Todd Underwood <todd-nanog@renesys.com>
Cc: nanog@merit.edu
In-Reply-To: <20060623210100.GJ703@overlord.e-gerbil.net>
Errors-To: owner-nanog@merit.edu
On Fri, Jun 23, 2006 at 05:01:00PM -0400, Richard A Steenbergen wrote:
>=20
> Obviously in a perfect world, you don't want to do the expensive MD5 chec=
k=20
> anywhere sooner than the last possible moment before you declare the data=
=20
> valid and add it to the socket buffer. I assume that the reason they can'=
t=20
> do the check sooner in software is they lack a mechanism to tell the IP o=
r=20
> even TCP input code "we want to discard these packets if they are less=20
> than TTL x". They probably can't make that decision until the packet gets=
=20
> validated by TCP and makes it all the way to BGP code.
Actually I take that back, it should be easy enough to configure a minimum=
=20
TTL requirement on the TCB through a socket interface. Obviously they're=20
doing something to pass the IP TTL data outside of its normal in_input()=20
function (or whatever passes for such on IOS), so if you've got that data=
=20
avilable in the tcp_input() code you should be able to do the check after=
=20
you find your TCB but before the MD5 check, yes?
Since there hasn't been an IOS source code leak in a while, does someone=20
=66rom Cisco who actually knows how this is implemented want to comment so=
=20
we can stop guessing? :)
--=20
Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
