[nsp] MD5 causes bigger problem than it fixes?
Niels Bakker
niels=cisco-nsp at bakker.net
Wed Apr 21 19:01:52 EDT 2004
* goemon at anime.net (Dan Hollis) [Thu 22 Apr 2004, 00:30 CEST]:
> On Wed, 21 Apr 2004, Niels Bakker wrote:
>>>> - I'd really like something better than "have your upstreams
>>>> filter,"
>>>> is there a solution to protect against this issue?
>>> BGP-over-IPSEC ?
>> Same CPU issue as MD5, is it not? For directly connected sessions
>> there's the TTL hack (if Juniper implements it soon too, at least).
>
> I cant imagine GTSM taking more CPU than MD5. GTSM also means you don't
> have to juggle thousands of keys.
You're implying I wrote something I didn't. I said that BGP-over-IPSEC
as proposed by Rubens Kuhl would have CPU issues similar to those of the
MD5 option for BGP. Then, I noted that GTSM/the TTL hack would also
protect BGP sessions against spoofing from outside.
>> No router is bad at dropping packets, but performance, as always, varies.
Corrolary: Flooding a router's control plane with fake packets is always bad.
-- Niels.
--
More information about the cisco-nsp
mailing list