[nsp] MD5 causes biggern problem than it fixes?
Gert Doering
gert at greenie.muc.de
Wed Apr 21 11:54:49 EDT 2004
Hi,
On Wed, Apr 21, 2004 at 10:47:07AM -0500, Edward Henigin wrote:
> Which way is a mortal soul to go?
"down"
Seriously: you should rate-limit the amount of packets targeted at your
routers anyway (control-plane rate-limiting in recent IOS versions, or
just plain interface rate-limiting in earlier versions).
If you rate-limit RST and SYN packets to a very low rate, most packets will
already be dropped before even MD5 checking them... "BGP established"
packets shouldn't be rate-limited, though.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list