Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: key change for TCP-MD5

  • From: Barry Greene (bgreene)
  • Date: Fri Jun 23 14:50:47 2006
  • Authentication-results: sj-dkim-4.cisco.com; header.From=bgreene@cisco.com; dkim=pass (sig from cisco.com verified; );
  • Dkim-signature: a=rsa-sha1; q=dns; l=1626; t=1151088574; x=1151952574;c=relaxed/simple; s=sjdkim4001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;d=cisco.com; i=bgreene@cisco.com; z=From:=22Barry=20Greene=20\(bgreene\)=22=20<bgreene@cisco.com>|Subject:RE=3A=20key=20change=20for=20TCP-MD5;X=v=3Dcisco.com=3B=20h=3Drw9sj7sVfmM2t65cWYy3EoOQFf8=3D; b=dZTTacvyoY0KA4wvQEOH3WgZFDOqrwD9d3PKKTrzdEXrq6Df1R4pBNLpr2q8ze07PSuMERVA5VGGellAfB21OAjPvIYSvPgG9uLN9sCMD1k2ewHKZ1I5ek6KFLmU6jeq;

 

> If DOS is such a large concern, IPSEC to an extent can be 
> used to mitigate against it. And IKEv1/v2 with IPSEC is not 
> the horribly inefficient mechanism it is made out to be. In 
> practice, it is quite easy to use.

IPSEC does nothing to protect a network device from a DOS attack. You
know that.

DOS prevention on a network device needs to happen before the TCP/Packet
termination - not the Key/MD5/IPSEC stage. The signing or encrypting of
the BGP message protects against Man in the Middle and replay attacks -
not DOS attacks. Once a bad packet gets terminated, your DOS stress on
the router kicks in (especially on ASIC/NP routers). The few extra CPU
cycles it takes for walking through keys or IPSEC decrypt are irrelevant
to the router's POV. You SOL if a miscreant can get a packet through
your classification & queuing protections on the router and have it
terminated. 

The key to DOS mitigation on a network device is to have many fields in
the packet to classify as possible before the TCP/Packet termination.
The more you have to classify on, the more granular you can construct
your policy. This is one of the reasons for GTSM - which adds one more
field (the IP packet's TTL) to the classification options. 

Yes Jared - our software does the TTL after the MD5, but the hardware
implementations does the check in hardware before the packet gets punted
to the receive path. That is exactly where you need to do the
classification to minimize DOS on a router - as close to the point where
the optical-electrical-airwaves convert to a IP packet as possible.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.