[91040] in North American Network Operators' Group
Re: key change for TCP-MD5
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Mon Jun 26 20:43:24 2006
Date: Mon, 26 Jun 2006 20:42:52 -0400
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Ross Callon <rcallon@juniper.net>
Cc: bora@broadcom.com, nanog@merit.edu
In-Reply-To: <5.0.0.25.2.20060620165623.030369e0@zircon.juniper.net>
Errors-To: owner-nanog@merit.edu
On Tue, 20 Jun 2006 17:06:27 -0400, Ross Callon <rcallon@juniper.net>
wrote:
>
> At 12:12 PM 6/20/2006 -0700, Bora Akyol wrote:
>
> >The draft allows you to have a set of keys in your keychain and
> >the implementation tries all of them before declaring the segment
> >as invalid.
>
> DoS against routers is of course a major concern. Using
> encryption has the potential of making DoS worse, in the
> sense that the amount of processing that a bogus packet
> can cause is increased by the amount of processing
> needed to check the authentication. If the router needs to
> check multiple keys in the keychain before declaring the
> segment as invalid, then this multiplies the effect of the
> DOS by the number of keys that need to be checked.
>
You're quite right, and the next version of the draft contains the
following additional text in the Security Considerations:
Having multiple keys makes CPU denial of service
attacks easier. This suggests that keeping the
overlap period reasonably
short is a good idea. In
addition, the Generalized TTL Security Mechanism
<xref target="RFC3682" />, if applicable to
the local topology, can help.
Note that there would almost never be more than
two keys in existence at any one time in any event.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
