nanog mailing list archives

Re: TCP/BGP vulnerability - easier than you think

From: Crist Clark <crist.clark () globalstar com>
Date: Thu, 22 Apr 2004 10:01:17 -0700


David Luyer wrote:
[snip]

With ipsec, you have crypto overhead before you have any opportunity
to do the basic sanity check.


Minor point, but with IPsec, the 32-bit SPI and the 32-bit replay counter
are very low cost ways to drop the majority of traffic from a flood of
random junk with no crypto calculations. You actually have more bits
with AH or ESP than with TCP. The 32-bit SPI must be an exact match
like the two 16-bit port fields, and you have 32-bits of sequence number
in both, but the TCP window is much larger than the IPsec window (usually
6-bit by default) leaving you more bits to check.
--
Crist J. Clark                               crist.clark () globalstar com
Globalstar Communications                                (408) 933-4387

Current thread:

Re: TCP/BGP vulnerability - easier than you think, (continued)
- - - Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Paul Jakma (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Paul Jakma (Apr 21)
    - RE: TCP/BGP vulnerability - easier than you think David Luyer (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Crist Clark (Apr 22)
    - Re: TCP/BGP vulnerability - easier than you think John Kristoff (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think E.B. Dreger (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 22)
    - Re: TCP/BGP vulnerability - easier than you think Paul Jakma (Apr 23)
    - Re: TCP/BGP vulnerability - easier than you think E.B. Dreger (Apr 21)
    - Message not available
    - Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 23)
    - Message not available
    - Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 23)
    - Re: TCP/BGP vulnerability - easier than you think Leo Bicknell (Apr 23)
    - Re: TCP/BGP vulnerability - easier than you think Petri Helenius (Apr 23)
    - Re: TCP/BGP vulnerability - easier than you think Todd Vierling (Apr 23)

(Thread continues...)