[nsp] MD5 causes biggern problem than it fixes?
Dan Hollis
goemon at anime.net
Wed Apr 21 15:06:51 EDT 2004
On Wed, 21 Apr 2004, Gert Doering wrote:
> On Wed, Apr 21, 2004 at 10:47:07AM -0500, Edward Henigin wrote:
> > Which way is a mortal soul to go?
> Seriously: you should rate-limit the amount of packets targeted at your
> routers anyway (control-plane rate-limiting in recent IOS versions, or
> just plain interface rate-limiting in earlier versions).
> If you rate-limit RST and SYN packets to a very low rate, most packets will
> already be dropped before even MD5 checking them... "BGP established"
> packets shouldn't be rate-limited, though.
Or you could just put anti spoofing filters at your borders and kill this
BGP vulnerability _and any future variants_ totally dead, permanently.
-Dan
More information about the cisco-nsp
mailing list