From: Daniel Roesen <dr@cluenet.de>
To: linux-kernel@vger.kernel.org
Subject: Re: TCP-RST Vulnerability - Doubt
Date: Tue, 29 Jun 2004 04:34:11 +0200 [thread overview]
Message-ID: <20040629043411.A5054@homebase.cluenet.de> (raw)
In-Reply-To: <cbp62t$a38$1@news.cistron.nl>; from miquels@cistron.nl on Mon, Jun 28, 2004 at 01:22:37PM +0000
On Mon, Jun 28, 2004 at 01:22:37PM +0000, Miquel van Smoorenburg wrote:
> MD5 protection on BGP sessions isn't very common yet. MD5 uses CPU,
> and routers don't usually have much of that. Which means that now an
> MD5 CPU attack is possible instead of a TCP RST attack.
Not if the MD5 option is properly implemented - i.e. MD5 hash checking
is done AFTER the packet is considered valid in terms of "fitting"
sequence number.
> The "TTL hack" solution is safer. Make sure sender uses a TTL
> of 255, on the receiver discard all packets with a TTL < 255.
It's a hack, not a solution. A solution works always, not just in
some special cases (and given Cisco's implementation, even there
is a window which is "too wide open").
As this thread is fairly off-topic on lkml, I suggest moving it to
somewhere else... But then again, in the appropriate places, these
discussions have already taken place. :-)
Regards,
Daniel
next prev parent reply other threads:[~2004-06-29 2:34 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-25 21:20 TCP-RST Vulnerability - Doubt saiprathap
2004-06-25 22:05 ` David S. Miller
2004-06-26 2:22 ` Andre Tomt
2004-06-28 19:18 ` Florian Weimer
2004-06-28 13:22 ` Miquel van Smoorenburg
2004-06-28 14:49 ` Chris Wedgwood
2004-06-28 18:34 ` Florian Weimer
2004-06-28 18:37 ` Willy Tarreau
2004-06-28 19:26 ` Florian Weimer
2004-06-29 20:03 ` Valdis.Kletnieks
2004-06-29 21:22 ` Florian Weimer
2004-06-29 21:45 ` Valdis.Kletnieks
2004-06-29 2:34 ` Daniel Roesen [this message]
2004-06-29 21:28 ` Florian Weimer
2004-06-29 2:34 ` Lincoln Dale
2004-06-29 21:27 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040629043411.A5054@homebase.cluenet.de \
--to=dr@cluenet.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.