To: "Miquel van Smoorenburg" <miquels@cistron.nl>
Cc: linux-kernel@vger.kernel.org
Subject: Re: TCP-RST Vulnerability - Doubt
References: <40DC9B00@webster.usu.edu>
	<20040625150532.1a6d6e60.davem@redhat.com>
	<cbp62t$a38$1@news.cistron.nl>
From: Florian Weimer <fw@deneb.enyo.de>
Date: Mon, 28 Jun 2004 20:34:12 +0200
In-Reply-To: <cbp62t$a38$1@news.cistron.nl> (Miquel van Smoorenburg's
 message of "Mon, 28 Jun 2004 13:22:37 +0000 (UTC)")
Message-ID: <87vfhblefv.fsf@deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1282
Lines: 27

* Miquel van Smoorenburg:

> MD5 protection on BGP sessions isn't very common yet.

Well, there was quite some technology push recently. 8-)

> MD5 uses CPU, and routers don't usually have much of that. Which
> means that now an MD5 CPU attack is possible instead of a TCP RST
> attack.

Anything that is able to send packets to the CPU which runs the TCP
stack can take down your router.  Core routers with 200 MHz MIPS CPUs
are still common.  It really doesn't matter much if you have to do a
MD5 check or not, the CPU will be easy to overload.  However, the TCP
MD5 option is a nice thing to have because you can enable it and avoid
discussions (just like you do it with antivirus software 8-/).

Part of the beauty of the TTL hack is that it actually works in
linecard CPUs or ASICs on some routing architectures, which takes the
load off the main CPU.  For Linux, you can also drop the packets
before they hit the route cache, which might be become more important
in the future when the route cache is no longer used for forwarding.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/