RE: ICMP PTB spoofing attacks (was: RE: 6MAN: Adoption call on draft-hinden-6man-rfc1981bis-01)
"Templin, Fred L" <Fred.L.Templin@boeing.com> Fri, 05 February 2016 18:26 UTC
Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57B9A1A86E4 for <ipv6@ietfa.amsl.com>; Fri, 5 Feb 2016 10:26:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QAEwTqxnFcWK for <ipv6@ietfa.amsl.com>; Fri, 5 Feb 2016 10:26:02 -0800 (PST)
Received: from stl-mbsout-02.boeing.com (stl-mbsout-02.boeing.com [130.76.96.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E23F81A86E8 for <ipv6@ietf.org>; Fri, 5 Feb 2016 10:25:57 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by stl-mbsout-02.boeing.com (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id u15IPuq8030127; Fri, 5 Feb 2016 12:25:56 -0600
Received: from XCH-PHX-109.sw.nos.boeing.com (xch-phx-109.sw.nos.boeing.com [130.247.25.36]) by stl-mbsout-02.boeing.com (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id u15IPs5U029639 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=OK); Fri, 5 Feb 2016 12:25:55 -0600
Received: from XCH-BLV-105.nw.nos.boeing.com ([169.254.5.221]) by XCH-PHX-109.sw.nos.boeing.com ([169.254.9.35]) with mapi id 14.03.0235.001; Fri, 5 Feb 2016 10:25:53 -0800
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Fernando Gont <fgont@si6networks.com>, "Fred Baker (fred)" <fred@cisco.com>
Subject: RE: ICMP PTB spoofing attacks (was: RE: 6MAN: Adoption call on draft-hinden-6man-rfc1981bis-01)
Thread-Topic: ICMP PTB spoofing attacks (was: RE: 6MAN: Adoption call on draft-hinden-6man-rfc1981bis-01)
Thread-Index: AdFgO8UgUUOFg9xdTwqIJb3fPhAIDQARpl8AABAVV8A=
Date: Fri, 05 Feb 2016 18:25:53 +0000
Message-ID: <2134F8430051B64F815C691A62D983183395F017@XCH-BLV-105.nw.nos.boeing.com>
References: <2134F8430051B64F815C691A62D983183395EF42@XCH-BLV-105.nw.nos.boeing.com> <56B4E39A.5040608@si6networks.com>
In-Reply-To: <56B4E39A.5040608@si6networks.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.247.104.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/HDYmIT5wlKv9YdOyHvcW4jcnFkQ>
Cc: Bob Hinden <bob.hinden@gmail.com>, 6man WG <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2016 18:26:06 -0000
Hi Fernando, > -----Original Message----- > From: Fernando Gont [mailto:fgont@si6networks.com] > Sent: Friday, February 05, 2016 10:02 AM > To: Templin, Fred L; Fred Baker (fred) > Cc: 6man WG; Bob Hinden > Subject: Re: ICMP PTB spoofing attacks (was: RE: 6MAN: Adoption call on draft-hinden-6man-rfc1981bis-01) > > On 02/05/2016 02:46 PM, Templin, Fred L wrote: > > Hi Fred, > > > >> As soon as I say "there is no such attack", one will materialize, so I won't assert that. However, I am not aware of attacks in which > >> someone creates ICMP PTBs and sends them to someone else in order to reduce their windows unnecessarily. > > > > RFC4821 Section 11 (Security Considerations) recognizes the potential for spoofed > > (i.e., inaccurate) ICMP PTB messages and suggests a mitigation (ignore all ICMP PTBs). > > For paths over which any node in the network can inject an inaccurate ICMP PTB > > message, an attack vector exists. > > In theory, you can do some basic validation for ICMP messages. However, > in v6, as a result of possible EHs, you may not find any meaningful data > in the ICMP payload to apply validity checks on. > > Anyway, you can implement the countermeasure we implemented in > <https://tools.ietf.org/html/rfc5927#section-7.2> -- I implemented it > for OpenBSD, and it still runs it... and IIRC it was ported to at least > NetBSD later. Thanks for the reference. It seems to account for the case of paths that may deliver inaccurate ICMP PTBs, but does not account for the case of paths that fail to deliver accurate ICMP PTBs. Do we know of paths always deliver accurate ICMP PTBs but can also deliver inaccurate ICMP PTBs? Thanks - Fred fred.l.templin@boeing.com > Thanks, > -- > Fernando Gont > SI6 Networks > e-mail: fgont@si6networks.com > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > >
- Re: ICMP PTB spoofing attacks (was: RE: 6MAN: Ado… Fernando Gont
- Re: ICMP PTB spoofing attacks Mark Andrews
- Re: ICMP PTB spoofing attacks Fernando Gont
- RE: ICMP PTB spoofing attacks (was: RE: 6MAN: Ado… Templin, Fred L
- ICMP PTB spoofing attacks (was: RE: 6MAN: Adoptio… Templin, Fred L
- Re: ICMP PTB spoofing attacks (was: RE: 6MAN: Ado… Fernando Gont
- RE: ICMP PTB spoofing attacks (was: RE: 6MAN: Ado… Templin, Fred L
- Re: ICMP PTB spoofing attacks (was: RE: 6MAN: Ado… Fernando Gont
- RE: ICMP PTB spoofing attacks (was: RE: 6MAN: Ado… Templin, Fred L
- Re: ICMP PTB spoofing attacks (was: RE: 6MAN: Ado… Fernando Gont