Re: TCP/BGP vulnerability - easier than you think
David Luyer wrote: [snip]
With ipsec, you have crypto overhead before you have any opportunity to do the basic sanity check.
Minor point, but with IPsec, the 32-bit SPI and the 32-bit replay counter are very low cost ways to drop the majority of traffic from a flood of random junk with no crypto calculations. You actually have more bits with AH or ESP than with TCP. The 32-bit SPI must be an exact match like the two 16-bit port fields, and you have 32-bits of sequence number in both, but the TCP window is much larger than the IPsec window (usually 6-bit by default) leaving you more bits to check. -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387
participants (1)
-
Crist Clark