IETF Logo Mail Archive

Re: [Int-area] Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: (with DISCUSS)

Brian Haberman <brian@innovationslab.net> Fri, 15 May 2015 11:58 UTC

Return-Path: <brian@innovationslab.net>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBD471A0A85; Fri, 15 May 2015 04:58:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GT_RTF7SdETC; Fri, 15 May 2015 04:58:08 -0700 (PDT)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 853701A008F; Fri, 15 May 2015 04:58:08 -0700 (PDT)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id 52C4088119; Fri, 15 May 2015 04:58:08 -0700 (PDT)
Received: from Brians-MacBook-Pro.local (swifi-nat.jhuapl.edu [128.244.87.133]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id 561CE71B0001; Fri, 15 May 2015 04:58:07 -0700 (PDT)
Message-ID: <5555DF49.2090906@innovationslab.net>
Date: Fri, 15 May 2015 07:58:01 -0400
From: Brian Haberman <brian@innovationslab.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Ronald Bonica <rbonica@juniper.net>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "Templin, Fred L" <Fred.L.Templin@boeing.com>
References: <20150514021405.29892.21704.idtracker@ietfa.amsl.com> <CY1PR05MB1994819D2EC000754D69ACFDAED80@CY1PR05MB1994.namprd05.prod.outlook.com> <E87B771635882B4BA20096B589152EF628C0CC2C@eusaamb107.ericsson.se> <CAHbuEH5NEopFBPeATmhhLJ=iLom+2DvtTZUUobax2r3KbW=JcQ@mail.gmail.com> <BLUPR05MB19859D4F490C1744BC9B50F7AED80@BLUPR05MB1985.namprd05.prod.outlook.com> <BLUPR05MB19854E65D511F14253556DF3AED80@BLUPR05MB1985.namprd05.prod.outlook.com> <2134F8430051B64F815C691A62D9831832E621B4@XCH-BLV-504.nw.nos.boeing.com> <32221A4D-CD1B-4678-94BE-F49C0499F483@gmail.com> <BLUPR05MB19854B35DFE0D3774756E6B7AEC70@BLUPR05MB1985.namprd05.prod.outlook.com>
In-Reply-To: <BLUPR05MB19854B35DFE0D3774756E6B7AEC70@BLUPR05MB1985.namprd05.prod.outlook.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="Rcq4pX6GQTQJ23ObfaHReHAl4TbuxNR1n"
Archived-At: <http://mailarchive.ietf.org/arch/msg/int-area/7LkhsfcUcxLpPIZweCmKgoYNuh8>
X-Mailman-Approved-At: Fri, 15 May 2015 04:59:38 -0700
Cc: "draft-ietf-intarea-gre-mtu@ietf.org" <draft-ietf-intarea-gre-mtu@ietf.org>, "int-area@ietf.org" <int-area@ietf.org>, "draft-ietf-intarea-gre-mtu.ad@ietf.org" <draft-ietf-intarea-gre-mtu.ad@ietf.org>, "draft-ietf-intarea-gre-mtu.shepherd@ietf.org" <draft-ietf-intarea-gre-mtu.shepherd@ietf.org>, The IESG <iesg@ietf.org>, "intarea-chairs@ietf.org" <intarea-chairs@ietf.org>
Subject: Re: [Int-area] Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: (with DISCUSS)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2015 11:58:10 -0000

Hi Kathleen,

On 5/14/15 9:49 PM, Ronald Bonica wrote:
> Hi Kathleen,
> 
> Thanks, I will post an updated version of the draft.
> 
> Regarding Fred’s question, an attacker can send ICMP PTB to the GRE
> ingress node. When this happens, the GRE ingress node’s estimation of
> the PMTU and GMTU become inaccurate. That is why the draft says:
> 
> “PMTU Discovery is vulnerable to two denial of service attacks (see
> Section 8 of [RFC1191] for details). Both attacks are based upon on a
> malicious party sending forged ICMPv4 Destination Unreachable or
> ICMPv6 Packet Too Big messages to a host. In the first attack, the
> forged message indicates an inordinately small PMTU. In the second
> attack, the forged message indicates an inordinately large MTU. In
> both cases, throughput is adversely affected. On order to mitigate
> such attacks, GRE implementations include a configuration option to
> disable PMTU discovery on GRE tunnels. Also, they can include a
> configuration option that conditions the behavior of PMTUD to
> establish a minimum PMTU.”

The problem with Fred's question is that it is a well-known
vulnerability of ICMP in general and has a much broader impact than just
fragmentation and GRE (i.e., this draft). Additionally, I have no idea
why Fred thinks an "insider attack" is any more of an issue than an
arbitrary attack.

Regards,
Brian

v2.23.0 | Report a Bug | By Email