[nsp] MD5 causes biggern problem than it fixes?

Dan Hollis goemon at anime.net
Wed Apr 21 15:06:51 EDT 2004


On Wed, 21 Apr 2004, Gert Doering wrote:
> On Wed, Apr 21, 2004 at 10:47:07AM -0500, Edward Henigin wrote:
> > Which way is a mortal soul to go?
> Seriously: you should rate-limit the amount of packets targeted at your
> routers anyway (control-plane rate-limiting in recent IOS versions, or
> just plain interface rate-limiting in earlier versions).
> If you rate-limit RST and SYN packets to a very low rate, most packets will 
> already be dropped before even MD5 checking them...  "BGP established" 
> packets shouldn't be rate-limited, though.

Or you could just put anti spoofing filters at your borders and kill this 
BGP vulnerability _and any future variants_ totally dead, permanently.

-Dan



More information about the cisco-nsp mailing list