Re: [OPSEC] review draft-gont-opsec-icmp-ingress-filtering-02
Mikael Abrahamsson <swmike@swm.pp.se> Wed, 17 August 2016 06:56 UTC
Return-Path: <swmike@swm.pp.se>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 889A212B01D for <opsec@ietfa.amsl.com>; Tue, 16 Aug 2016 23:56:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.548
X-Spam-Level:
X-Spam-Status: No, score=-5.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=swm.pp.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HNDP5br8-Qty for <opsec@ietfa.amsl.com>; Tue, 16 Aug 2016 23:56:04 -0700 (PDT)
Received: from uplift.swm.pp.se (swm.pp.se [212.247.200.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B211712B015 for <OpSec@ietf.org>; Tue, 16 Aug 2016 23:56:01 -0700 (PDT)
Received: by uplift.swm.pp.se (Postfix, from userid 501) id 886C6A2; Wed, 17 Aug 2016 08:55:59 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=swm.pp.se; s=mail; t=1471416959; bh=EY4nsBPwbP8ZGfePr9fvtDXOiFmUcxBSCJiW+ydoKqs=; h=Date:From:To:Subject:In-Reply-To:References:From; b=Zo4MZJdtN7IBa2rddxioXh/SmlQcat7CKaeMj2zWrbt4kj0gHbPWk4x2mVm3KQ2Vr 5Orwey5JxyinHLQP2tMTIbTxhBsH6rBB59V8lrL7IlRoOAb1wXqJhnc+cUBXMMhr/H uSBk3LGU8dQWPLctqSnM8pBlJnrYtX0Jo9aRO+Do=
Received: from localhost (localhost [127.0.0.1]) by uplift.swm.pp.se (Postfix) with ESMTP id 7D850A1 for <OpSec@ietf.org>; Wed, 17 Aug 2016 08:55:59 +0200 (CEST)
Date: Wed, 17 Aug 2016 08:55:59 +0200
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: "opsec@ietf.org" <OpSec@ietf.org>
In-Reply-To: <d56e3c89-500e-6411-b10c-0af42219c1c4@bogus.com>
Message-ID: <alpine.DEB.2.02.1608170848261.3593@uplift.swm.pp.se>
References: <d56e3c89-500e-6411-b10c-0af42219c1c4@bogus.com>
User-Agent: Alpine 2.02 (DEB 1266 2009-07-14)
Organization: People's Front Against WWW
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/oDh3wsLlHdghVFbeIRpmEo2Z4YA>
Subject: Re: [OPSEC] review draft-gont-opsec-icmp-ingress-filtering-02
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2016 06:56:07 -0000
On Fri, 15 Jul 2016, joel jaeggli wrote: > I'm sympathic generally to this draft, section 5 implementation details > could be rewriten more cleanly to suggest how it is implemented. e.g. I also read this document. I am also sympathetic to this draft, but I tried to find what kind of attacks can be performed using the technique mentioned in the document, but apart from the US-CERT reference from 2005, I came up empty. I would like to see more references to documents describing what can happen if the proposed mechanism isn't implemented, ie list of attack vectors. Apart from that I like the document. I have doubts about how widely this mechanism will actually get implemented since it's like uRPF; it doesn't protect the implementor from the Internet, it protects the Internet from the implementors' customers. But it makes a lot of sense to document this problem and recommend that this kind of filtering is done. -- Mikael Abrahamsson email: swmike@swm.pp.se
- Re: [OPSEC] review draft-gont-opsec-icmp-ingress-… Mikael Abrahamsson
- Re: [OPSEC] review draft-gont-opsec-icmp-ingress-… Carlos Pignataro (cpignata)
- [OPSEC] review draft-gont-opsec-icmp-ingress-filt… joel jaeggli