IETF Logo Mail Archive

Re: ttl and authentication

Dave Katz <dkatz@juniper.net> Thu, 24 February 2005 07:36 UTC

Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA11500; Thu, 24 Feb 2005 02:36:06 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D4DuS-0005Jk-BT; Thu, 24 Feb 2005 02:59:45 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D4DXL-0001Hc-FL; Thu, 24 Feb 2005 02:35:51 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D4DXI-0001EH-85 for rtg-bfd@megatron.ietf.org; Thu, 24 Feb 2005 02:35:48 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA11485 for <rtg-bfd@ietf.org>; Thu, 24 Feb 2005 02:35:46 -0500 (EST)
Received: from colo-dns-ext2.juniper.net ([207.17.137.64]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D4Du9-0005J7-CO for rtg-bfd@ietf.org; Thu, 24 Feb 2005 02:59:25 -0500
Received: from merlot.juniper.net (merlot.juniper.net [172.17.27.10]) by colo-dns-ext2.juniper.net (8.12.3/8.12.3) with ESMTP id j1O7ZdBm020129; Wed, 23 Feb 2005 23:35:39 -0800 (PST) (envelope-from dkatz@juniper.net)
Received: from [172.16.12.139] (nimbus-sf.juniper.net [172.16.12.139]) by merlot.juniper.net (8.11.3/8.11.3) with ESMTP id j1O7Zce24284; Wed, 23 Feb 2005 23:35:38 -0800 (PST) (envelope-from dkatz@juniper.net)
In-Reply-To: <Pine.LNX.4.61.0502240855100.22843@netcore.fi>
References: <200502222036.PAA16786@ietf.org> <Pine.LNX.4.61.0502232111590.6499@netcore.fi> <eb091c568763bfdd10f3c04ae3c9677c@juniper.net> <Pine.LNX.4.61.0502240855100.22843@netcore.fi>
Mime-Version: 1.0 (Apple Message framework v619.2)
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Message-Id: <35ed279cf9e5b6c559f3d843e7c8d7c3@juniper.net>
Content-Transfer-Encoding: 7bit
From: Dave Katz <dkatz@juniper.net>
Date: Thu, 24 Feb 2005 00:35:37 -0700
To: Pekka Savola <pekkas@netcore.fi>
X-Mailer: Apple Mail (2.619.2)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7655788c23eb79e336f5f8ba8bce7906
Content-Transfer-Encoding: 7bit
Cc: rtg-bfd@ietf.org
Subject: Re: ttl and authentication
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
Sender: rtg-bfd-bounces@ietf.org
Errors-To: rtg-bfd-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 93238566e09e6e262849b4f805833007
Content-Transfer-Encoding: 7bit

On Feb 24, 2005, at 12:00 AM, Pekka Savola wrote:

> The concern is which is done first: TTL check or authentication check.
>
> Compare the situation to BGP with MD5.  Folks can easily DoS a router 
> by sending bogus MD5-signed BGP packets to spend all the CPU's 
> computational resources.  Using TTL=255 check _first_ prevents this 
> particular attack vector, except from the on-link neighbors.
>
> The same argument seems to apply here.  Speaking as an operator who's 
> using BFD, I will not be happy if the TTL is not checked first as this 
> opens a resource exhaustion attack vector which could be easily 
> prevented.

I guess I would counter that if the TTL check is the only thing 
protecting your infrastructure, then you have bigger problems.  
Filtering at the edge of your network has got to be the first line of 
defense.  Certainly there have got to be similar opportunities to hose 
things with other protocols for which a TTL check will not help.

--Dave

v2.31.3 | Report a Bug | By Email | System Status