Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: key change for TCP-MD5

  • From: Todd Underwood
  • Date: Fri Jun 23 16:44:33 2006



On Fri, Jun 23, 2006 at 11:49:33AM -0700, Barry Greene (bgreene) wrote:
>
> Yes Jared - our software does the TTL after the MD5, but the hardware
> implementations does the check in hardware before the packet gets punted
> to the receive path. That is exactly where you need to do the
> classification to minimize DOS on a router - as close to the point where
> the optical-electrical-airwaves convert to a IP packet as possible.

i'm not that bright, so maybe i'm missing something, but i've heard
this claim from cisco people before and never understood it.

just to clarify:  you're saying that doing the (expensive) md5 check
before the (almost free) ttl check makes sense because that
*minimizes* the DOS vectors against a router?  can someone walk me
through the logic here using small words?  i am obviously not able to
follow this due to my distance from the
"optical-electrical-airwaves". 

t.


-- 
_____________________________________________________________________
todd underwood                                 +1 603 643 9300 x101
renesys corporation                            chief of operations & security 
todd@renesys.com                               http://www.renesys.com/blog/todd.shtml




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.