[91004] in North American Network Operators' Group
Re: key change for TCP-MD5
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Fri Jun 23 19:18:26 2006
In-Reply-To: <3D92608F743AE3AE5984CE45@imac-en0.delong.sj.ca.us>
Cc: NANOG list <nanog@merit.edu>
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Sat, 24 Jun 2006 01:17:31 +0200
To: Owen DeLong <owen@delong.com>
Errors-To: owner-nanog@merit.edu
On 24-jun-2006, at 0:43, Owen DeLong wrote:
> Why couldn't the network device do an AH check in hardware before
> passing
> the
> packet to the receive path? If you can get to a point where all
> connections
> or traffic TO the router should be AH, then, that will help with DOS.
If you care that much, why don't you just add an extra loopback
address, give it an RFC 1918 address, have your peer talk BGP towards
that address and filter all packets towards the actual interface
address of the router?
The chance of an attacker sending an RFC 1918 packet that ends up at
your router is close to zero and even though the interface address
still shows up in traceroutes etc it is bullet proof because of the
filters.
(This works even better with IPv6 link local addresses, those are
guaranteed to be unroutable.)
