Re: [Int-area] Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: (with DISCUSS)

["Carlos Pignataro (cpignata)" <cpignata@cisco.com>]

Fred,

> On May 15, 2015, at 10:39 AM, Templin, Fred L <Fred.L.Templin@boeing.com> wrote:
> 
> Hi Brian,
> 
>> -----Original Message-----
>> From: Brian Haberman [mailto:brian@innovationslab.net]
>> Sent: Friday, May 15, 2015 4:58 AM
>> To: Ronald Bonica; Kathleen Moriarty; Templin, Fred L
>> Cc: Suresh Krishnan; draft-ietf-intarea-gre-mtu@ietf.org; int-area@ietf.org; draft-ietf-intarea-gre-mtu.ad@ietf.org; draft-ietf-intarea-
>> gre-mtu.shepherd@ietf.org; The IESG; intarea-chairs@ietf.org
>> Subject: Re: Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: (with DISCUSS)
>> 
>> Hi Kathleen,
>> 
>> On 5/14/15 9:49 PM, Ronald Bonica wrote:
>>> Hi Kathleen,
>>> 
>>> Thanks, I will post an updated version of the draft.
>>> 
>>> Regarding Fred’s question, an attacker can send ICMP PTB to the GRE
>>> ingress node. When this happens, the GRE ingress node’s estimation of
>>> the PMTU and GMTU become inaccurate. That is why the draft says:
>>> 
>>> “PMTU Discovery is vulnerable to two denial of service attacks (see
>>> Section 8 of [RFC1191] for details). Both attacks are based upon on a
>>> malicious party sending forged ICMPv4 Destination Unreachable or
>>> ICMPv6 Packet Too Big messages to a host. In the first attack, the
>>> forged message indicates an inordinately small PMTU. In the second
>>> attack, the forged message indicates an inordinately large MTU. In
>>> both cases, throughput is adversely affected. On order to mitigate
>>> such attacks, GRE implementations include a configuration option to
>>> disable PMTU discovery on GRE tunnels. Also, they can include a
>>> configuration option that conditions the behavior of PMTUD to
>>> establish a minimum PMTU.”
>> 
>> The problem with Fred's question is that it is a well-known
>> vulnerability of ICMP in general and has a much broader impact than just
>> fragmentation and GRE (i.e., this draft). Additionally, I have no idea
>> why Fred thinks an "insider attack" is any more of an issue than an
>> arbitrary attack.
> 
> If the original source, ingress and egress are all within the same well
> managed  administrative domain, then it would be very advantageous
> to use PMTUD instead of probing and/or fragmentation since issues
> such as ICMP message loss, multipath and in-the-network fragmentation
> are mitigated. But, if source address spoofing is possible within the
> administrative domain, then there is opportunity for an insider attack
> to disrupt systems that rely on PMTUD.
> 
> A fix would be to have the draft mention the ability to spoof source
> addresses as a necessary precondition to sustained PTB message
> attacks, since attackers that use legitimate source addresses can
> be traced. And, the mitigation is for the administrative domain to
> employ ingress filtering.
> 

Again, like Brian wrote, there is nothing in this draft that enables or directly relates to that attack — or a different way, that attack is broader and not specific to GRE.

— Carlos.

> Thanks - Fred
> fred.l.templin@boeing,com
> 
>> Regards,
>> Brian
>> 
>