my understanding is that md5 is still checked before the
ttl-hack check takes place on cisco (and perhaps most router
platforms). new attack vector for less security than you had
before. oh well. ras:
can you confirm that it is possible to implement ttl-hack and
have it check *before* md5 signature checks?
You do not have a correct understanding of how GPTM is suppose to work.
If you can, you need to do this check as close to the punt out of the
data plane as possible. Optimally in the ASIC (if the ASIC can be coded
to do a TTL check). On Cisco gear we're coding from inside out - doing
GPTM in the routing code (BGP) - then in the receive path wrapper (rACL
and CoPP) - then in the ASIC raw queue (if it can) - then in the ASIC's
receive path primitives. The GPTM was all about dropping the packet
before they got near the route process.
If you want more details, let me know and I'll send them privately.