Date: Tue, 29 Jun 2004 04:34:11 +0200
From: Daniel Roesen <dr@cluenet.de>
To: linux-kernel@vger.kernel.org
Subject: Re: TCP-RST Vulnerability - Doubt
Message-ID: <20040629043411.A5054@homebase.cluenet.de>
Mail-Followup-To: linux-kernel@vger.kernel.org
References: <40DC9B00@webster.usu.edu> <20040625150532.1a6d6e60.davem@redhat.com> <cbp62t$a38$1@news.cistron.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <cbp62t$a38$1@news.cistron.nl>; from miquels@cistron.nl on Mon, Jun 28, 2004 at 01:22:37PM +0000
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1166
Lines: 28

On Mon, Jun 28, 2004 at 01:22:37PM +0000, Miquel van Smoorenburg wrote:
> MD5 protection on BGP sessions isn't very common yet. MD5 uses CPU,
> and routers don't usually have much of that. Which means that now an
> MD5 CPU attack is possible instead of a TCP RST attack.

Not if the MD5 option is properly implemented - i.e. MD5 hash checking
is done AFTER the packet is considered valid in terms of "fitting"
sequence number.

> The "TTL hack" solution is safer. Make sure sender uses a TTL
> of 255, on the receiver discard all packets with a TTL < 255.

It's a hack, not a solution. A solution works always, not just in
some special cases (and given Cisco's implementation, even there
is a window which is "too wide open").

As this thread is fairly off-topic on lkml, I suggest moving it to
somewhere else... But then again, in the appropriate places, these
discussions have already taken place. :-)


Regards,
Daniel
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/