Re: TCP-RST Vulnerability - Doubt

From: Valdis . Kletnieks
Date: Tue Jun 29 2004 - 16:47:09 EST

Next message: Hamie: "Re: 2.6.7-mm4 compile buglet"
Previous message: Benita M. Nguyen: "We have a cialapren offer for you."
In reply to: Florian Weimer: "Re: TCP-RST Vulnerability - Doubt"
Next in thread: Daniel Roesen: "Re: TCP-RST Vulnerability - Doubt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 29 Jun 2004 23:22:56 +0200, Florian Weimer said:
> * Valdis Kletnieks:
>
> > The latest numbers I saw on the NANOG list estimated that only 30%
> > to 40% of core peerings were using MD5 even several weeks after the
> > Great MD5-Fest...
>
> 30% to 40% is extremely high. Are you sure these numbers are correct?

Well, here's the start of the thread...

http://www.merit.edu/mail.archives/nanog/2004-05/msg00144.html

Anywhere from 12% to 45% depending which methodology you believe in.. ;)

> I think the MD5 option is designed to be processed *before* semantic
> analysis of the TCP header. This way, it will protect the router in
> case of TCP header parsing bugs. So it's not "Very Very Wrong", just
> a different trade-off.

I saw several people who dropped hints that if it had an MD5 on it,
it got handed to the CPU for checking, without even bothering to verify
that the source IP was something you had an MD5 configured for.. "Hey, this
MD5 is borked! Good thing it's not from a host we talk to...." :)

Attachment: pgp00000.pgp
Description: PGP signature

Next message: Hamie: "Re: 2.6.7-mm4 compile buglet"
Previous message: Benita M. Nguyen: "We have a cialapren offer for you."
In reply to: Florian Weimer: "Re: TCP-RST Vulnerability - Doubt"
Next in thread: Daniel Roesen: "Re: TCP-RST Vulnerability - Doubt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]