North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: key change for TCP-MD5
- From: Patrick W. Gilmore
- Date: Fri Jun 23 19:35:46 2006
On Jun 23, 2006, at 7:17 PM, Iljitsch van Beijnum wrote:
Why is this better than using the TTL hack? Which is easier to
configure, and at least as secure.
On 24-jun-2006, at 0:43, Owen DeLong wrote:
Why couldn't the network device do an AH check in hardware before
If you care that much, why don't you just add an extra loopback
address, give it an RFC 1918 address, have your peer talk BGP
towards that address and filter all packets towards the actual
interface address of the router?
packet to the receive path? If you can get to a point where all
or traffic TO the router should be AH, then, that will help with DOS.
The chance of an attacker sending an RFC 1918 packet that ends up
at your router is close to zero and even though the interface
address still shows up in traceroutes etc it is bullet proof
because of the filters.