Date: Thu, 22 Apr 2004 12:11:45 -0400 From: Barney Wolff <barney@databus.com> To: freebsd-net@FreeBSD.org Subject: Re: [PATCH] First part of TCP-MD5 inbound verification Message-ID: <20040422161145.GA48173@pit.databus.com> In-Reply-To: <20040422130659.GG722@empiric.dek.spc.org> References: <20040422130659.GG722@empiric.dek.spc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Just a note that, as discussion on nanog shows, it's very important to only do the md5 check if the incoming packet is going to be accepted and processed, rather than the intuitive order of checking the sig first. That's because checking first allows an easy DoS, since checking is cpu-intensive. Barney -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040422161145.GA48173>