Re: TCP MD5 option problem

From: Steven M. Bellovin (smbat_private)
Date: Wed Jun 16 1999 - 19:33:36 PDT

Next message: Raymond Dijkxhoorn: "[RHSA-1999:013-01] New XFree86 packages for Red Hat Linux 6.0"

Previous message: Crispin Cowan: "Diversity (was: IIS Remote Exploit (injection code))"
Maybe in reply to: Craig Metz: "TCP MD5 option problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <199906141822.SAA05311at_private>, Craig Metz writes:

>
>   The (IMO) obvious fix for this problem is to use IPsec's Authentication
> Header (AH) and to deprecate the TCP MD5 option. There are several freely
> available and viable AH implementations for BSD (including the NRL, OpenBSD,
> and KAME ones) and I believe that modern IOS has AH code in it though it's not
> currently set up for protecting routing traffic. AH covers all of the TCP
> header and options, as well as typically having a better MAC function (the RFC
> 2385 option builds a MAC by appending the key, which is possibly the weakest
> way to do it).

The RFC 2385 scheme describes a hack that was developed precisely because
IPSEC wasn't ready, and *something* was needed to protect BGP traffic.
You're absolutely right -- no one should use it for any new work.

Next message: Raymond Dijkxhoorn: "[RHSA-1999:013-01] New XFree86 packages for Red Hat Linux 6.0"
Previous message: Crispin Cowan: "Diversity (was: IIS Remote Exploit (injection code))"
Maybe in reply to: Craig Metz: "TCP MD5 option problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:49:45 PDT