RE: ICMP PTB spoofing attacks (was: RE: 6MAN: Adoption call on draft-hinden-6man-rfc1981bis-01)
"Templin, Fred L" <Fred.L.Templin@boeing.com> Fri, 05 February 2016 20:26 UTC
Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7B421ACE91 for <ipv6@ietfa.amsl.com>; Fri, 5 Feb 2016 12:26:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2LYJHuLJG1xO for <ipv6@ietfa.amsl.com>; Fri, 5 Feb 2016 12:25:59 -0800 (PST)
Received: from phx-mbsout-02.mbs.boeing.net (phx-mbsout-02.mbs.boeing.net [130.76.184.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE9221ACE4C for <ipv6@ietf.org>; Fri, 5 Feb 2016 12:25:58 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by phx-mbsout-02.mbs.boeing.net (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id u15KPwag058674; Fri, 5 Feb 2016 13:25:58 -0700
Received: from XCH-PHX-313.sw.nos.boeing.com (xch-phx-313.sw.nos.boeing.com [130.247.25.175]) by phx-mbsout-02.mbs.boeing.net (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id u15KPrNr058594 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=OK); Fri, 5 Feb 2016 13:25:53 -0700
Received: from XCH-BLV-105.nw.nos.boeing.com ([169.254.5.221]) by XCH-PHX-313.sw.nos.boeing.com ([169.254.13.135]) with mapi id 14.03.0235.001; Fri, 5 Feb 2016 12:25:52 -0800
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Fernando Gont <fgont@si6networks.com>, "Fred Baker (fred)" <fred@cisco.com>
Subject: RE: ICMP PTB spoofing attacks (was: RE: 6MAN: Adoption call on draft-hinden-6man-rfc1981bis-01)
Thread-Topic: ICMP PTB spoofing attacks (was: RE: 6MAN: Adoption call on draft-hinden-6man-rfc1981bis-01)
Thread-Index: AdFgO8UgUUOFg9xdTwqIJb3fPhAIDQARpl8AABAVV8D//4dJAIAAg16g//+ZiYCAAIRKUA==
Date: Fri, 05 Feb 2016 20:25:52 +0000
Message-ID: <2134F8430051B64F815C691A62D983183395F2DD@XCH-BLV-105.nw.nos.boeing.com>
References: <2134F8430051B64F815C691A62D983183395EF42@XCH-BLV-105.nw.nos.boeing.com> <56B4E39A.5040608@si6networks.com> <2134F8430051B64F815C691A62D983183395F017@XCH-BLV-105.nw.nos.boeing.com> <56B4EA46.3080102@si6networks.com> <2134F8430051B64F815C691A62D983183395F0CE@XCH-BLV-105.nw.nos.boeing.com> <56B50285.9010204@si6networks.com>
In-Reply-To: <56B50285.9010204@si6networks.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.247.104.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/l4Cy7MzAn04bxYdDOW2mHmfeeEI>
Cc: Bob Hinden <bob.hinden@gmail.com>, 6man WG <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2016 20:26:01 -0000
Hi Fernando, > -----Original Message----- > From: Fernando Gont [mailto:fgont@si6networks.com] > Sent: Friday, February 05, 2016 12:14 PM > To: Templin, Fred L; Fred Baker (fred) > Cc: 6man WG; Bob Hinden > Subject: Re: ICMP PTB spoofing attacks (was: RE: 6MAN: Adoption call on draft-hinden-6man-rfc1981bis-01) > > On 02/05/2016 03:42 PM, Templin, Fred L wrote: > > Hi Fernando, > > > >> -----Original Message----- > >> From: Fernando Gont [mailto:fgont@si6networks.com] > >> Sent: Friday, February 05, 2016 10:31 AM > >> To: Templin, Fred L; Fred Baker (fred) > >> Cc: Bob Hinden; 6man WG > >> Subject: Re: ICMP PTB spoofing attacks (was: RE: 6MAN: Adoption call on draft-hinden-6man-rfc1981bis-01) > >> > >> On 02/05/2016 03:25 PM, Templin, Fred L wrote: > >>> Hi Fernando, > >>> > >>>> -----Original Message----- > >>>> From: Fernando Gont [mailto:fgont@si6networks.com] > >>>> Sent: Friday, February 05, 2016 10:02 AM > >>>> To: Templin, Fred L; Fred Baker (fred) > >>>> Cc: 6man WG; Bob Hinden > >>>> Subject: Re: ICMP PTB spoofing attacks (was: RE: 6MAN: Adoption call on draft-hinden-6man-rfc1981bis-01) > >>>> > >>>> On 02/05/2016 02:46 PM, Templin, Fred L wrote: > >>>>> Hi Fred, > >>>>> > >>>>>> As soon as I say "there is no such attack", one will materialize, so I won't assert that. However, I am not aware of attacks in > >> which > >>>>>> someone creates ICMP PTBs and sends them to someone else in order to reduce their windows unnecessarily. > >>>>> > >>>>> RFC4821 Section 11 (Security Considerations) recognizes the potential for spoofed > >>>>> (i.e., inaccurate) ICMP PTB messages and suggests a mitigation (ignore all ICMP PTBs). > >>>>> For paths over which any node in the network can inject an inaccurate ICMP PTB > >>>>> message, an attack vector exists. > >>>> > >>>> In theory, you can do some basic validation for ICMP messages. However, > >>>> in v6, as a result of possible EHs, you may not find any meaningful data > >>>> in the ICMP payload to apply validity checks on. > >>>> > >>>> Anyway, you can implement the countermeasure we implemented in > >>>> <https://tools.ietf.org/html/rfc5927#section-7.2> -- I implemented it > >>>> for OpenBSD, and it still runs it... and IIRC it was ported to at least > >>>> NetBSD later. > >>> > >>> Thanks for the reference. It seems to account for the case of paths that may > >>> deliver inaccurate ICMP PTBs, but does not account for the case of paths that > >>> fail to deliver accurate ICMP PTBs. Do we know of paths always deliver > >>> accurate ICMP PTBs but can also deliver inaccurate ICMP PTBs? > >> > >> What do you mean by "accurate"? > > > > By "accurate" I mean: > > > > - the router that sends the ICMP PTB is telling the truth that there is a restricting link > > - the MTU value that the router writes in the PTB is in fact the true MTU of the > > restricting link > > Well, most of these protocols run on "good faith", right? -- If I cannot > trust the router to tell the truth, why should I trust it to e.g. > forward my packets? A router's trustworthiness for forwarding packets and for telling the truth in any ICMP PTB message it sends are mutually exclusive - the first question is one of availability and the second is one of integrity. Plus, it is not necessarily just the on-path routers - any off-path "router" could also inject spurious PTBs. Thanks - Fred fred.l.templin@boeing.com
- Re: ICMP PTB spoofing attacks (was: RE: 6MAN: Ado… Fernando Gont
- Re: ICMP PTB spoofing attacks Mark Andrews
- Re: ICMP PTB spoofing attacks Fernando Gont
- RE: ICMP PTB spoofing attacks (was: RE: 6MAN: Ado… Templin, Fred L
- ICMP PTB spoofing attacks (was: RE: 6MAN: Adoptio… Templin, Fred L
- Re: ICMP PTB spoofing attacks (was: RE: 6MAN: Ado… Fernando Gont
- RE: ICMP PTB spoofing attacks (was: RE: 6MAN: Ado… Templin, Fred L
- Re: ICMP PTB spoofing attacks (was: RE: 6MAN: Ado… Fernando Gont
- RE: ICMP PTB spoofing attacks (was: RE: 6MAN: Ado… Templin, Fred L
- Re: ICMP PTB spoofing attacks (was: RE: 6MAN: Ado… Fernando Gont