Re: TCP/BGP vulnerability - easier than you think

[Paul Jakma <paul () clubi ie>]

On Wed, 21 Apr 2004, Iljitsch van Beijnum wrote:

> On 21-apr-04, at 21:17, Paul Jakma wrote:
>
> > > I'm not recommending this for "small" peers as the crypto DoS risk
> > > is worse than what happens when the attack is executed
> > > successfully.
>
> > Why would MD5 be more of a crypto DoS risk with IPSec AH headers than
> > with bgp tcp-md5?
>
> Beats me. But why do you bring up IPsec?

The paragraph is quoted is your advice against using IPSec, I dont 
see why an MD5 auth header IPSec protected sessions would have more 
risk of crypto DoS than compared to the simple BGP TCP MD5 hack. The 
risk is due to MD5, not IPSec :).
 
> Anyway, what needs to happen is a form of crypto where the
> expensive algorithms are only executed for good packets and not for
> all packets.

So configure ipsec to authenticate packets between the peers allowing 
only md5 or somesuch. I dont know about other IOS, but other 
implementations do allow one to specify security associations on a 
per port basis.
 
regards,
-- 
Paul Jakma      paul () clubi ie        paul () jakma org       Key ID: 64A2FF6A
        warning: do not ever send email to spam () dishone st
Fortune:
It's interesting to think that many quite distinguished people have
bodies similar to yours.