[91022] in North American Network Operators' Group
Re: key change for TCP-MD5
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Mon Jun 26 05:55:12 2006
In-Reply-To: <20060626000608.GC3152@burnout.tpb.net>
Cc: nanog@merit.edu
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Mon, 26 Jun 2006 11:54:39 +0200
To: Niels Bakker <niels=nanog@bakker.net>
Errors-To: owner-nanog@merit.edu
On 26-jun-2006, at 2:06, Niels Bakker wrote:
>> The reason IPsec helps against a DoS against the CPU is that it
>> has an anti replay counter. IPsec implementations are supposed to
>> maintain a window, not unlike a TCP window, that allows them to
>> reject packets with an anti replay counter that's too far behind
>> or ahead of the last seen packets. So in order to make a packet
>> reach the CPU an attacker has to observe or guess an acceptable
>> value for the anti replay counter.
> Actually, no. In a router you can easily filter away all IP
> packets not destined to port 25 to a certain host (for, say, a mail
> server). However, if those packets are IPsec encrypted, these TCP
> headers are unavailable to routers in the path.
You can't have it both ways: either you encrypt the packet so that
nobody can look inside it, or you don't and people can.
But we weren't talking about encryption. Or about filtering packets
that go _through_ a router. What we were talking about was using the
IPsec authentication on BGP sessions and whether that's better than
using TCP with MD5 in relation to DoS attacks.
