[91005] in North American Network Operators' Group
Re: key change for TCP-MD5
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Fri Jun 23 19:35:11 2006
In-Reply-To: <1814C39E-B860-45CB-BDBB-5C91A1F8A511@muada.com>
Cc: "Patrick W. Gilmore" <patrick@ianai.net>
From: "Patrick W. Gilmore" <patrick@ianai.net>
Date: Fri, 23 Jun 2006 19:34:40 -0400
To: NANOG list <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
On Jun 23, 2006, at 7:17 PM, Iljitsch van Beijnum wrote:
> On 24-jun-2006, at 0:43, Owen DeLong wrote:
>
>> Why couldn't the network device do an AH check in hardware before
>> passing
>> the
>> packet to the receive path? If you can get to a point where all
>> connections
>> or traffic TO the router should be AH, then, that will help with DOS.
>
> If you care that much, why don't you just add an extra loopback
> address, give it an RFC 1918 address, have your peer talk BGP
> towards that address and filter all packets towards the actual
> interface address of the router?
>
> The chance of an attacker sending an RFC 1918 packet that ends up
> at your router is close to zero and even though the interface
> address still shows up in traceroutes etc it is bullet proof
> because of the filters.
Why is this better than using the TTL hack? Which is easier to
configure, and at least as secure.
--
TTFN,
patrick
