RE: key change for TCP-MD5

["Barry Greene (bgreene)" <bgreene () cisco com>]

Walk through the code with the current MD5 spec. You need to terminate
the TCP session, check the MD5, then do the next checks. That is why
we're doing TTL check for GTSM and other classifying/queuing before the
TCP session termination. In the big equipment that ranges from
specialized ASIC checks, to raw queue classifiers, to ACLs .... All
before the packet gets punted out of the forwarding chip to the Route
Processor. In other equipment you do the check on the Line Card's CPU
after the punt - compartmentizing the impact of an attack. There is even
code in the 'coding queue' to do the check on CPU routers before you
terminate (still get the CPU clock cycle hit for dropping the packet). 

Granted, you need to put this in context of how vendors should be
building security into their devices - layered - with a combination of
classification (i.e. ACLs), queuing (containing the impact), and systems
practices.

So go back to the instigating presentation:

http://www.nanog.org/mtg-0302/gill.html

Also check on one vendor's roadmap:

ftp://ftp-eng.cisco.com/cons/isp/security/BGP-Security/GTSM.pdf

So lets keep focused on the right issue - can you TTL filter before the
TCP session terminates vs worrying over the order of the multitude of
checks which take up processing the TCP packet.

    

> -----Original Message-----
> From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On 
> Behalf Of Todd Underwood
> Sent: Friday, June 23, 2006 1:43 PM
> To: nanog () merit edu
> Subject: Re: key change for TCP-MD5
>
>
>
>
> On Fri, Jun 23, 2006 at 11:49:33AM -0700, Barry Greene 
> (bgreene) wrote:
> > Yes Jared - our software does the TTL after the MD5, but 
> the hardware 
> > implementations does the check in hardware before the packet gets 
> > punted to the receive path. That is exactly where you need 
> to do the 
> > classification to minimize DOS on a router - as close to the point 
> > where the optical-electrical-airwaves convert to a IP 
> packet as possible.
>
> i'm not that bright, so maybe i'm missing something, but i've 
> heard this claim from cisco people before and never understood it.
>
> just to clarify:  you're saying that doing the (expensive) 
> md5 check before the (almost free) ttl check makes sense because that
> *minimizes* the DOS vectors against a router?  can someone 
> walk me through the logic here using small words?  i am 
> obviously not able to follow this due to my distance from the 
> "optical-electrical-airwaves". 
>
> t.
>
>
> --
> _____________________________________________________________________
> todd underwood                                 +1 603 643 9300 x101
> renesys corporation                            chief of 
> operations & security 
> todd () renesys com                               
> http://www.renesys.com/blog/todd.shtml