Re: TCP-RST Vulnerability - Doubt

From: Florian Weimer
Date: Tue Jun 29 2004 - 16:24:54 EST

Next message: David S. Miller: "Re: [netfilter-core] undefined reference to`ip_conntrack_untracked'"
Previous message: David S. Miller: "Re: inconsistency between SIOCGIFCONF and SIOCGIFNAME"
In reply to: Valdis . Kletnieks: "Re: TCP-RST Vulnerability - Doubt"
Next in thread: Valdis . Kletnieks: "Re: TCP-RST Vulnerability - Doubt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Valdis Kletnieks:

> The latest numbers I saw on the NANOG list estimated that only 30%
> to 40% of core peerings were using MD5 even several weeks after the
> Great MD5-Fest...

30% to 40% is extremely high. Are you sure these numbers are correct?

> I am told that at least some versions of IOS got it Very Very Wrong
> - rather than first checking the simple things like "is the
> source/dest addr/ports/seq on the RST in bounds?" or "is a BGP
> packet?", it would check the MD5 *first* - meaning you could swamp
> the real CPU by sending it a totally bogus stream of allegedly
> MD5-signed traffic..

I think the MD5 option is designed to be processed *before* semantic
analysis of the TCP header. This way, it will protect the router in
case of TCP header parsing bugs. So it's not "Very Very Wrong", just
a different trade-off.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David S. Miller: "Re: [netfilter-core] undefined reference to`ip_conntrack_untracked'"
Previous message: David S. Miller: "Re: inconsistency between SIOCGIFCONF and SIOCGIFNAME"
In reply to: Valdis . Kletnieks: "Re: TCP-RST Vulnerability - Doubt"
Next in thread: Valdis . Kletnieks: "Re: TCP-RST Vulnerability - Doubt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]