[91015] in North American Network Operators' Group
Re: key change for TCP-MD5
daemon@ATHENA.MIT.EDU (Niels Bakker)
Sun Jun 25 20:06:43 2006
Date: Mon, 26 Jun 2006 02:06:08 +0200
From: Niels Bakker <niels=nanog@bakker.net>
To: nanog@merit.edu
Mail-Followup-To: nanog@merit.edu
In-Reply-To: <E074AD4A-7364-47C6-A21E-2A3374D2A3AA@muada.com>
Errors-To: owner-nanog@merit.edu
* iljitsch@muada.com (Iljitsch van Beijnum) [Wed 21 Jun 2006, 19:05 CEST]:
>The reason IPsec helps against a DoS against the CPU is that it has
>an anti replay counter. IPsec implementations are supposed to
>maintain a window, not unlike a TCP window, that allows them to
>reject packets with an anti replay counter that's too far behind or
>ahead of the last seen packets. So in order to make a packet reach
>the CPU an attacker has to observe or guess an acceptable value for
>the anti replay counter.
Actually, no. In a router you can easily filter away all IP packets not
destined to port 25 to a certain host (for, say, a mail server).
However, if those packets are IPsec encrypted, these TCP headers are
unavailable to routers in the path. I do not expect a complete IPsec
implementation in the filtering engines of routers, nor that they be
able to keep track of window sizes in specific conversations (after all,
they don't get to see RST packets either).
Web servers generally do not come with hardware-based filtering
capabilities to protect "the CPU."
-- Niels.
