From owner-freebsd-net@FreeBSD.ORG Thu Apr 22 09:11:46 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCF8316A4CE for ; Thu, 22 Apr 2004 09:11:46 -0700 (PDT) Received: from pit.databus.com (p70-227.acedsl.com [66.114.70.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B75F43D45 for ; Thu, 22 Apr 2004 09:11:46 -0700 (PDT) (envelope-from barney@pit.databus.com) Received: from pit.databus.com (localhost [127.0.0.1]) by pit.databus.com (8.12.11/8.12.11) with ESMTP id i3MGBjXS048616 for ; Thu, 22 Apr 2004 12:11:45 -0400 (EDT) (envelope-from barney@pit.databus.com) Received: (from barney@localhost) by pit.databus.com (8.12.11/8.12.11/Submit) id i3MGBjVW048615 for freebsd-net@FreeBSD.org; Thu, 22 Apr 2004 12:11:45 -0400 (EDT) (envelope-from barney) Date: Thu, 22 Apr 2004 12:11:45 -0400 From: Barney Wolff To: freebsd-net@FreeBSD.org Message-ID: <20040422161145.GA48173@pit.databus.com> References: <20040422130659.GG722@empiric.dek.spc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040422130659.GG722@empiric.dek.spc.org> User-Agent: Mutt/1.5.6i X-Scanned-By: MIMEDefang 2.39 Subject: Re: [PATCH] First part of TCP-MD5 inbound verification X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Apr 2004 16:11:46 -0000 Just a note that, as discussion on nanog shows, it's very important to only do the md5 check if the incoming packet is going to be accepted and processed, rather than the intuitive order of checking the sig first. That's because checking first allows an easy DoS, since checking is cpu-intensive. Barney -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.