On Sat, Jun 24, 2006 at 02:51:57AM -0700, Barry Greene (bgreene) wrote:
>
> At the same time, you are not going to find the SP core swapping out
> their equipment for hardware with crypto chips. SPs do not seem to want
> to pay for this sort of addition. So even new equipment is not getting
> ha
On 24-jun-2006, at 1:34, Patrick W. Gilmore wrote:
If you care that much, why don't you just add an extra loopback
address, give it an RFC 1918 address, have your peer talk BGP
towards that address and filter all packets towards the actual
interface address of the router?
The chance of a
> Why couldn't the network device do an AH check in hardware
> before passing the packet to the receive path? If you can
> get to a point where all connections or traffic TO the router
> should be AH, then, that will help with DOS.
There is no push from the operators to look at AH check or t
At the same time, you are not going to find the SP core swapping out
their equipment for hardware with crypto chips. SPs do not seem to want
to pay for this sort of addition. So even new equipment is not getting
hardware crypto that can be used.
So a BGP IPSEC option has to work with what hardw
Walk through the code with the current MD5 spec. You need to terminate
the TCP session, check the MD5, then do the next checks. That is why
we're doing TTL check for GTSM and other classifying/queuing before the
TCP session termination. In the big equipment that ranges from
specialized ASIC check
This "RFC1918 for control plane/management plane" technique is
vulnerable to a TCP reflection attack. The miscreants know about it. So
the assumption that the chance of a RFC 1918 packet reaching your router
being "zero" is not something an you should assume.
> -Original Message-
> From: