IETF Logo Mail Archive

Re: [secdir] [tcpm] SECDIR REVIEW of draft-ietf-tcpm-icmp-attacks-10.txt

Joe Touch <touch@ISI.EDU> Mon, 15 February 2010 20:51 UTC

Return-Path: <touch@ISI.EDU>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7EE823A79EF; Mon, 15 Feb 2010 12:51:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.483
X-Spam-Level:
X-Spam-Status: No, score=-2.483 tagged_above=-999 required=5 tests=[AWL=0.116, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vWioBgP1m3ws; Mon, 15 Feb 2010 12:51:19 -0800 (PST)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 7D2CD3A722A; Mon, 15 Feb 2010 12:51:19 -0800 (PST)
Received: from [192.168.1.95] (pool-71-106-88-10.lsanca.dsl-w.verizon.net [71.106.88.10]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id o1FKja0m013907 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 15 Feb 2010 12:45:38 -0800 (PST)
Message-ID: <4B79B270.5060804@isi.edu>
Date: Mon, 15 Feb 2010 12:45:36 -0800
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Fernando Gont <fernando@gont.com.ar>
References: <a123a5d61002121827y2f2b0256u5859790c06819a92@mail.gmail.com> <4B79A54C.7040107@gont.com.ar> <4B79A9BA.5050205@isi.edu> <4B79AEC8.3030506@gont.com.ar>
In-Reply-To: <4B79AEC8.3030506@gont.com.ar>
X-Enigmail-Version: 0.96.0
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="------------enigE223615851FE9C8280A451B4"
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org, Phillip Hallam-Baker <hallam@gmail.com>, secdir@ietf.org
Subject: Re: [secdir] [tcpm] SECDIR REVIEW of draft-ietf-tcpm-icmp-attacks-10.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2010 20:51:20 -0000


Fernando Gont wrote:
> Joe Touch wrote:
> 
>>>> The principal security risks considered are service risks. ICMP may be
>>>> used to perform certain denial of service and performance downgrade
>>>> attacks. As such it probably needs rather more justification than 'we
>>>> have always done this' when building critical infrastructures.
>>> I fully agree. This I-D has been debated in tcpm form... 6 years now. It
>>> was originally meant for Std track, but somehow ended up heading for
>>> Informational.
>> That implies the decision was either accidental or unintentional, and
>> neither is the case, FWIW.
> 
> Well, if you track the decision, you'll probably go back to an IETF
> meeting in 2005 (Vancouver), in which, while we were heading for Std.
> Track, somebody asked "Why not Informational?", and that's what we ended
> up doing. So...

That decision was discussed at length at multiple IETFs. It didn't
happen as an accident or by the direct consequence of a single
off-handed suggestion.

...
>>>> Given that TCP streams will eventually time-out, I have something of a
>>>> hard time seeing why we would be using a non-authenticated control
>>>> protocol at all. Yes, I know the legacy reasons etc. etc. But this is
>>>> not the way we would approach this problem today. 
>>> I fully agree.
>>
>> Not all TCP state times out. Connections that don't use keepalives will
>> retain stale state until the state is explicitly flushed by a RST. If
>> the other end never comes back up, the state *never* gets flushed if not
>> for ICMPs.
> 
> The TCP spec says that "ICMP hard errors should be processes as RSTs",
> but never describe a case in which a TCP would send an ICMP hard error
> instead of a RST.

If frag is needed, you can't get a RST since the packet never gets
there. If the port is blocked upstream of the end device, the same thing
happens. Your next sentence appears to assert that the latter is the
common case.

> If you ever get an ICMP hard error, it's probably because of a firewall.

If it's after a connection is established, it's likely because of a
change in path that has different firewall policy or MTU.

> And many of these devices do not even check the TCP checksum.

Nor should they. The ICMP packet isn't required to include the entire
TCP segment, and when it doesn't it *can't* verify the checksum anyway.
...
> And, if you really depend on anything to flush stale connections, you're
> vulnerable to a bunch of other attacks (Sockstress, and the rest of the
> stuff that is already discussed in the CPNI TCP security paper).

My point was simply that TCP doesn't always clean itself up via
timeouts. That could be changed, but requires a change to the TCP spec
to, e.g., require all TCP connections to default to "keepalive", and
that hasn't been discussed.

>>>> This argument is
>>>> almost made on page 15. Some statement giving the case for taking
>>>> notice of ICMP messages at all is in order. 
>>> I guess the "statement" that you could get here (tcpm) is
>>> "responsiveness". -- with which I'd disagree, for many of the reasons
>>> stated in the draft, and because in many other cases it has been argued
>>> in this very wg that "tcp is supposed to be robust, it's not optimized
>>> for any scenario, etc.".
>>>
>>> Should I craft some text along the lines of "responsiveness"?
>> This doc, by WG agreement, focuses on "what is". It is not intended to
>> make broader recommendations or conclusions.
> 
> This doc has probably been one of the best examples for the recent flood
> of messages on the WG.
> 
>> KARP is addressing some of these issues. TCP-AO also addresses these
>> issues in the context of BGP.
>>
>> It's difficult to argue for broader controls of ICMPs in the absence of
>> authentication at the IP or TCP level, since RSTs have just as injurious
>> an impact.
> 
> C'mon, Joe. ICMP must have an in-window TCP SEQ. ICMPs need not. We've
> been here before. So the ICMP attack vector is the low hanging fruit.

There are numerous ways to upset a TCP connection by injecting bad data,
causing it to emit extra ACKs, etc. And the difference between in and
not-in window has become much less relevant.

(e.g., if "in window" was sufficient, then you should be arguing to stop
work on TCP-SECURE).

Joe

v2.23.0 | Report a Bug | By Email