Re: [saag] can an on-path attacker drop traffic?

Nico Williams <> Wed, 02 September 2020 19:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 771C23A0D41 for <>; Wed, 2 Sep 2020 12:33:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QzzOj_C52i8y for <>; Wed, 2 Sep 2020 12:33:07 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 376D73A0D3F for <>; Wed, 2 Sep 2020 12:33:07 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|
Received: from (localhost []) by (Postfix) with ESMTP id 165637011FC; Wed, 2 Sep 2020 19:33:06 +0000 (UTC)
Received: from (100-96-23-39.trex.outbound.svc.cluster.local []) (Authenticated sender: dreamhost) by (Postfix) with ESMTPA id A56EF701394; Wed, 2 Sep 2020 19:33:05 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by (trex/5.18.9); Wed, 02 Sep 2020 19:33:06 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|
X-MailChannels-Auth-Id: dreamhost
X-Lonely-Quick: 15c6b7af3c66a203_1599075185907_9076568
X-MC-Loop-Signature: 1599075185907:102620037
X-MC-Ingress-Time: 1599075185906
Received: from (localhost []) by (Postfix) with ESMTP id 6EB7980A80; Wed, 2 Sep 2020 12:33:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=PyKB3DvMTeT8py nEv0KQ6ybyT90=; b=X3TsD1wNHxe5TQ1l7uTUq6jMJUGLTded9xSTerK5BJOh5f gpTa0h+4PGHAVSJSX+XhBQF9zkGah6Vbt/1DJBqAOwLAkVSFekDC+MpwKAvp1R8O 4l1SGC3L5+DkAPBh2ZcaRQ+xhDDvEHvoMl20tVDfXHSwpXGqCITa5/5VwuAeE=
Received: from localhost (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id D2C2180A7F; Wed, 2 Sep 2020 12:33:03 -0700 (PDT)
Date: Wed, 2 Sep 2020 14:33:01 -0500
X-DH-BACKEND: pdx1-sub0-mail-a40
From: Nico Williams <>
To: Michael Richardson <>
Message-ID: <20200902193300.GW3100@localhost>
References: <4645.1599064072@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4645.1599064072@localhost>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgudefkecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjfgesthdtredttdervdenucfhrhhomheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqeenucggtffrrghtthgvrhhnpefftdektefhueetveeigfefgeejteejvdfhhefgvddtfeeujeehleeguefhgffhgfenucfkphepvdegrddvkedruddtkedrudekfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepvdegrddvkedruddtkedrudekfedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhm
Archived-At: <>
Subject: Re: [saag] can an on-path attacker drop traffic?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Sep 2020 19:33:08 -0000

On Wed, Sep 02, 2020 at 12:27:52PM -0400, Michael Richardson wrote:
> A firewall or router is a potential on-path attacker, but it can also drop packets.
> What do we call this?
> This was historically called a MITM, and it implied all the attributes of
> on-path.  But it is unclear to me if MITM > on-path, or MITM == on-path.

To me on-path means physically or logically (e.g., after DNS spoofing or
route take over) in the path.

MITM is about being in the middle at some higher layer than IP.  For
example, in TLS, which you can do if you can subvert a CA trusted by the

You can have an on-path (physically) attacker who nonetheless cannot
successfully mount an MITM attack on TLS traffic it gets to see and even