If they don't have the right MD5 frame they are not valid. The RFC came
about because people discovered RST spoofing cisco backbone routers was
a great way to remove unwanted ISP's. Then people discovered that spoofing
icmp df framesizes down to 68 bytes worked anyway and the whole MD5 thing
went to shit.
Later crypto folks showed that MD5 is not always good enough
Finally if you are patient and extremely irritating you can capture BGP
sessions, predict the next time the other end will initiate that sequence
number and do BGP replay games. Fortunately thats extremely hard.
IPSEC has a lot more going for it, but most cisco's still only support the
MD5 stuff. However if you can get/set IP/TCP options in user space you
could I guess do it that way
Alan
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/