nanog mailing list archives
RE: key change for TCP-MD5
From: "Barry Greene (bgreene)" <bgreene () cisco com>
Date: Sat, 24 Jun 2006 02:50:49 -0700
Walk through the code with the current MD5 spec. You need to terminate the TCP session, check the MD5, then do the next checks. That is why we're doing TTL check for GTSM and other classifying/queuing before the TCP session termination. In the big equipment that ranges from specialized ASIC checks, to raw queue classifiers, to ACLs .... All before the packet gets punted out of the forwarding chip to the Route Processor. In other equipment you do the check on the Line Card's CPU after the punt - compartmentizing the impact of an attack. There is even code in the 'coding queue' to do the check on CPU routers before you terminate (still get the CPU clock cycle hit for dropping the packet). Granted, you need to put this in context of how vendors should be building security into their devices - layered - with a combination of classification (i.e. ACLs), queuing (containing the impact), and systems practices. So go back to the instigating presentation: http://www.nanog.org/mtg-0302/gill.html Also check on one vendor's roadmap: ftp://ftp-eng.cisco.com/cons/isp/security/BGP-Security/GTSM.pdf So lets keep focused on the right issue - can you TTL filter before the TCP session terminates vs worrying over the order of the multitude of checks which take up processing the TCP packet.
-----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Todd Underwood Sent: Friday, June 23, 2006 1:43 PM To: nanog () merit edu Subject: Re: key change for TCP-MD5 On Fri, Jun 23, 2006 at 11:49:33AM -0700, Barry Greene (bgreene) wrote:Yes Jared - our software does the TTL after the MD5, butthe hardwareimplementations does the check in hardware before the packet gets punted to the receive path. That is exactly where you needto do theclassification to minimize DOS on a router - as close to the point where the optical-electrical-airwaves convert to a IPpacket as possible. i'm not that bright, so maybe i'm missing something, but i've heard this claim from cisco people before and never understood it. just to clarify: you're saying that doing the (expensive) md5 check before the (almost free) ttl check makes sense because that *minimizes* the DOS vectors against a router? can someone walk me through the logic here using small words? i am obviously not able to follow this due to my distance from the "optical-electrical-airwaves". t. -- _____________________________________________________________________ todd underwood +1 603 643 9300 x101 renesys corporation chief of operations & security todd () renesys com http://www.renesys.com/blog/todd.shtml
Current thread:
- Re: key change for TCP-MD5, (continued)
- Re: key change for TCP-MD5 Richard A Steenbergen (Jun 23)
- RE: key change for TCP-MD5 Owen DeLong (Jun 23)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 23)
- Re: key change for TCP-MD5 Patrick W. Gilmore (Jun 23)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 24)
- Re: key change for TCP-MD5 Valdis . Kletnieks (Jun 23)
- Re: key change for TCP-MD5 Roland Dobbins (Jun 23)
- Re: key change for TCP-MD5 Richard A Steenbergen (Jun 24)