Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: key change for TCP-MD5

  • From: Jared Mauch
  • Date: Wed Jun 21 09:05:27 2006

On Tue, Jun 20, 2006 at 05:18:20PM -0700, Randy Bush wrote:
> 
> >> The added cost for CPU-bound systems is that they have to try
> >> (potentially) multiple keys before getting the **right** key
> >> but in real life this can be easily mitigated by having a rating
> >> system on the key based on the frequency of success.
> > 
> > This mitigates the effect of authenticating valid packets. However,
> > this does not appear to help at all in terms of minimizing the DOS
> > effect of an intentional DoS attack that uses authenticated packets
> > (with the processing time required to check the keys the intended
> > damage of the attack).
> 
> gstm

	this doesn't help if the vendor can't implement it
correctly and does the md5 calc before checking the ttl :(

	- jared

-- 
Jared Mauch  | pgp key available via finger from jared@puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.