RE: key change for TCP-MD5
Assumptions, assumptions. If your IPSEC is being done in hardware and you have appropriate QoS mechanisms in your network, you will probably not be able to pass your best effort traffic but the rest should be OK. Can we get back to the regularly scheduled programming instead of throwing big numbers around? Barry had a point, if you do IPSEC stupidly, it does not protect you. If you pay attention to detail, it does help. It is not the panacea. For the purpose of securing BGP, I think IPSEC is easy to configure (at least on IOS which is what I'm used to), and will do the job. And for this application, I don't see why cert's can't be used either. Regards Bora
-----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Friday, June 23, 2006 1:46 PM To: Bora Akyol Cc: Barry Greene (bgreene); Ross Callon; nanog@merit.edu Subject: Re: key change for TCP-MD5
On Fri, 23 Jun 2006 13:35:20 PDT, Bora Akyol said:
The validity of your statement depends tremendously on how IPSEC is implemented.
If 113 million packets all show up at once, you're going to get DoS'ed, whether or not you have IPSEC enabled.
On Jun 23, 2006, at 2:02 PM, Bora Akyol wrote:
If your IPSEC is being done in hardware and you have appropriate QoS mechanisms in your network, you will probably not be able to pass your best effort traffic but the rest should be OK.
Unless the DoS is within the IPSEC tunnel and crowds out the good traffic. ;> Your original post seemed to imply that IPSEC is an anti-DoS mechanism, as does the statement 'If you pay attention to detail, it does help.' IPSEC is not an anti-DoS mechanism at all, it's important to be clear about that. ---------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice Everything has been said. But nobody listens. -- Roger Shattuck
participants (2)
-
Bora Akyol
-
Roland Dobbins