Vince-

Yes, you are right of course -- if we used a TTL test
the packets would still be received. A TTL test still
might be useful though, since it is simple, cheap, and could
probably be implemented in the line cards. In that case, the
DoS attack might be reduced to something less harmful than
ping or SYN floods.

John

-----Original Message-----
From: xxvaf [mailto:xxvafMFNX.NET]
Sent: Wednesday, May 16, 2001 7:40 PM
To: OSPFDISCUSS.MICROSOFT.COM
Subject: Re: Non-routable link-layer for OSPF packet exchange?

> Would it suffice to simply require that the TTL
> on OSPF packets be sent *and* received as 255, something
> I think was also done for IPv6 neighbor discovery? This
> would ensure that the OSPF control packets weren't routed
> from off-wire. Control packets associated with virtual links
> are always going to need something like MD5 however.

It depends on how efficiently packets which fail the TTL test can be
discarded in the face of a DoS attack. The problem is that a router
still has to receive the packets, do some tests on them, and then
discard them. If a link-layer other than IP were used (as is the case
with IS-IS, though something of a historical accident), then packets
can never be sourced by a non-border router. Changes to improve the
validation of received packets (TTL, as suggested above, and MD5
authentication) are certainly good things but they don't prevent some
types of DoS attacks and can even make them worse.

        --Vince

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]