[91009] in North American Network Operators' Group
RE: key change for TCP-MD5
daemon@ATHENA.MIT.EDU (Barry Greene (bgreene))
Sat Jun 24 05:52:49 2006
Date: Sat, 24 Jun 2006 02:51:57 -0700
From: "Barry Greene (bgreene)" <bgreene@cisco.com>
To: "Iljitsch van Beijnum" <iljitsch@muada.com>,
"Owen DeLong" <owen@delong.com>
Cc: "NANOG list" <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
This "RFC1918 for control plane/management plane" technique is
vulnerable to a TCP reflection attack. The miscreants know about it. So
the assumption that the chance of a RFC 1918 packet reaching your router
being "zero" is not something an you should assume.
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On=20
> Behalf Of Iljitsch van Beijnum
> Sent: Friday, June 23, 2006 4:18 PM
> To: Owen DeLong
> Cc: NANOG list
> Subject: Re: key change for TCP-MD5
>=20
>=20
> On 24-jun-2006, at 0:43, Owen DeLong wrote:
>=20
> > Why couldn't the network device do an AH check in hardware before=20
> > passing the packet to the receive path? If you can get to a point=20
> > where all connections or traffic TO the router should be AH, then,=20
> > that will help with DOS.
>=20
> If you care that much, why don't you just add an extra=20
> loopback address, give it an RFC 1918 address, have your peer=20
> talk BGP towards that address and filter all packets towards=20
> the actual interface address of the router?
>=20
> The chance of an attacker sending an RFC 1918 packet that=20
> ends up at your router is close to zero and even though the=20
> interface address still shows up in traceroutes etc it is=20
> bullet proof because of the filters.
>=20
> (This works even better with IPv6 link local addresses, those=20
> are guaranteed to be unroutable.)
>=20
