On Tue, Jun 20, 2006 at 05:06:27PM -0400, Ross Callon wrote:
DoS against routers is of course a major concern. Using encryption has the potential of making DoS worse, in the sense that the amount of processing that a bogus packet can cause is increased by the amount of processing needed to check the authentication. If the router needs to check multiple keys in the keychain before declaring the segment as invalid, then this multiplies the effect of the DOS by the number of keys that need to be checked.
I'd still like someone to explain why we're wasting man hours, CPU time, filling up our router logs, and potentially making DoS easier, for an attack that doesn't exist. After that, I'd like them to explain why we need to devote more resources to protecting against the attack that already doesn't exist, and that is already protected against just fine even if it were to exist. Of course any not completely insane implementation should be checking for a valid TCP window range (or an existing TCB for that matter) before wasting CPU time on an MD5 calculation. It's just not possible in reality for any sufficiently large number of packets to get through those check to then be affected by an MD5 DoS (unless of course you're peering with 7018, and the NSA has an extra copy of your packets laying around). We already collectively wasted our time deploying MD5 passwords over a big scare that turned out to be nothing more than someone cracking open the manual and rediscovering how stuff worked all along. Why don't we spend our time going forward solving actual issues like filtering/announcement authentication, and stop trying to solve the non-existant problems. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)