nanog mailing list archives
Re: TCP/BGP vulnerability - easier than you think
From: Paul Jakma <paul () clubi ie>
Date: Wed, 21 Apr 2004 21:00:55 +0100 (IST)
On Wed, 21 Apr 2004, Iljitsch van Beijnum wrote:
On 21-apr-04, at 21:17, Paul Jakma wrote:I'm not recommending this for "small" peers as the crypto DoS risk is worse than what happens when the attack is executed successfully.Why would MD5 be more of a crypto DoS risk with IPSec AH headers than with bgp tcp-md5?Beats me. But why do you bring up IPsec?
The paragraph is quoted is your advice against using IPSec, I dont see why an MD5 auth header IPSec protected sessions would have more risk of crypto DoS than compared to the simple BGP TCP MD5 hack. The risk is due to MD5, not IPSec :).
Anyway, what needs to happen is a form of crypto where the expensive algorithms are only executed for good packets and not for all packets.
So configure ipsec to authenticate packets between the peers allowing only md5 or somesuch. I dont know about other IOS, but other implementations do allow one to specify security associations on a per port basis. regards, -- Paul Jakma paul () clubi ie paul () jakma org Key ID: 64A2FF6A warning: do not ever send email to spam () dishone st Fortune: It's interesting to think that many quite distinguished people have bodies similar to yours.
Current thread:
- Re: TCP/BGP vulnerability - easier than you think, (continued)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Paul Jakma (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Paul Jakma (Apr 21)
- RE: TCP/BGP vulnerability - easier than you think David Luyer (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Crist Clark (Apr 22)
- Re: TCP/BGP vulnerability - easier than you think John Kristoff (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think E.B. Dreger (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 22)
- Re: TCP/BGP vulnerability - easier than you think Paul Jakma (Apr 23)
- Re: TCP/BGP vulnerability - easier than you think E.B. Dreger (Apr 21)
- Message not available
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 23)
- Message not available
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 23)
- Re: TCP/BGP vulnerability - easier than you think Leo Bicknell (Apr 23)