Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: key change for TCP-MD5

  • From: Barry Greene (bgreene)
  • Date: Sat Jun 24 05:53:35 2006
  • Authentication-results: sj-dkim-3.cisco.com; header.From=bgreene@cisco.com; dkim=pass (sig from cisco.com verified; );
  • Dkim-signature: a=rsa-sha1; q=dns; l=1440; t=1151142718; x=1152006718;c=relaxed/simple; s=sjdkim3001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;d=cisco.com; i=bgreene@cisco.com; z=From:=22Barry=20Greene=20\(bgreene\)=22=20<bgreene@cisco.com>|Subject:RE=3A=20key=20change=20for=20TCP-MD5;X=v=3Dcisco.com=3B=20h=3Drw9sj7sVfmM2t65cWYy3EoOQFf8=3D; b=I5tg/ot+l70pz2aK8qxFiuxUy9AkmypYrm+uRhY2xE6MiaiDWZzPDUc7/srSezS0SLudaDeaE5QLgUjpQzoLbg/csRq6Ilz4iWEW7HH5MjVjDyJuE0/EVZj37WK1AS5N;


This "RFC1918 for control plane/management plane" technique is
vulnerable to a TCP reflection attack. The miscreants know about it. So
the assumption that the chance of a RFC 1918 packet reaching your router
being "zero" is not something an you should assume.

> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On 
> Behalf Of Iljitsch van Beijnum
> Sent: Friday, June 23, 2006 4:18 PM
> To: Owen DeLong
> Cc: NANOG list
> Subject: Re: key change for TCP-MD5
> 
> 
> On 24-jun-2006, at 0:43, Owen DeLong wrote:
> 
> > Why couldn't the network device do an AH check in hardware before 
> > passing the packet to the receive path?  If you can get to a point 
> > where all connections or traffic TO the router should be AH, then, 
> > that will help with DOS.
> 
> If you care that much, why don't you just add an extra 
> loopback address, give it an RFC 1918 address, have your peer 
> talk BGP towards that address and filter all packets towards 
> the actual interface address of the router?
> 
> The chance of an attacker sending an RFC 1918 packet that 
> ends up at your router is close to zero and even though the 
> interface address still shows up in traceroutes etc it is 
> bullet proof because of the filters.
> 
> (This works even better with IPv6 link local addresses, those 
> are guaranteed to be unroutable.)
> 




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.