* iljitsch@muada.com (Iljitsch van Beijnum) [Wed 21 Jun 2006, 19:05 CEST]:
The reason IPsec helps against a DoS against the CPU is that it has an anti replay counter. IPsec implementations are supposed to maintain a window, not unlike a TCP window, that allows them to reject packets with an anti replay counter that's too far behind or ahead of the last seen packets. So in order to make a packet reach the CPU an attacker has to observe or guess an acceptable value for the anti replay counter.
Actually, no. In a router you can easily filter away all IP packets not destined to port 25 to a certain host (for, say, a mail server). However, if those packets are IPsec encrypted, these TCP headers are unavailable to routers in the path. I do not expect a complete IPsec implementation in the filtering engines of routers, nor that they be able to keep track of window sizes in specific conversations (after all, they don't get to see RST packets either). Web servers generally do not come with hardware-based filtering capabilities to protect "the CPU." -- Niels.