Re: [secdir] SECDIR REVIEW of draft-ietf-tcpm-icmp-attacks-10.txt
Fernando Gont <fernando@gont.com.ar> Mon, 15 February 2010 19:48 UTC
Return-Path: <fernando@gont.com.ar>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 48E4D3A7374; Mon, 15 Feb 2010 11:48:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.054
X-Spam-Level:
X-Spam-Status: No, score=-3.054 tagged_above=-999 required=5 tests=[AWL=0.545, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fMtpGoegie-E; Mon, 15 Feb 2010 11:48:11 -0800 (PST)
Received: from smtp1.xmundo.net (smtp1.xmundo.net [201.216.232.80]) by core3.amsl.com (Postfix) with ESMTP id 8FFC73A7372; Mon, 15 Feb 2010 11:48:08 -0800 (PST)
Received: from venus.xmundo.net (venus.xmundo.net [201.216.232.56]) by smtp1.xmundo.net (Postfix) with ESMTP id 5C6F26B6752; Mon, 15 Feb 2010 16:49:48 -0300 (ART)
Received: from [192.168.0.100] (144-174-17-190.fibertel.com.ar [190.17.174.144]) (authenticated bits=0) by venus.xmundo.net (8.13.8/8.13.8) with ESMTP id o1FJnX1Q014109; Mon, 15 Feb 2010 16:49:35 -0300
Message-ID: <4B79A54C.7040107@gont.com.ar>
Date: Mon, 15 Feb 2010 16:49:32 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Phillip Hallam-Baker <hallam@gmail.com>
References: <a123a5d61002121827y2f2b0256u5859790c06819a92@mail.gmail.com>
In-Reply-To: <a123a5d61002121827y2f2b0256u5859790c06819a92@mail.gmail.com>
X-Enigmail-Version: 0.96.0
OpenPGP: id=D076FFF1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (venus.xmundo.net [201.216.232.56]); Mon, 15 Feb 2010 16:49:47 -0300 (ART)
X-Mailman-Approved-At: Tue, 16 Feb 2010 00:19:43 -0800
Cc: tcpm@ietf.org, secdir@ietf.org
Subject: Re: [secdir] SECDIR REVIEW of draft-ietf-tcpm-icmp-attacks-10.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2010 19:48:12 -0000
Hello, Phillip, Thanks so much for your feedback! See my comments inline.... > The principal security risks considered are service risks. ICMP may be > used to perform certain denial of service and performance downgrade > attacks. As such it probably needs rather more justification than 'we > have always done this' when building critical infrastructures. I fully agree. This I-D has been debated in tcpm form... 6 years now. It was originally meant for Std track, but somehow ended up heading for Informational. What's in the I-D is what most implementation (all the mainstream ones, at least) do. So if *I* had to answer why we don't stress that ICMP should be disregarded in many scenarios, etc., I can just say that this is what the WG has converged to. > Given that TCP streams will eventually time-out, I have something of a > hard time seeing why we would be using a non-authenticated control > protocol at all. Yes, I know the legacy reasons etc. etc. But this is > not the way we would approach this problem today. I fully agree. > This argument is > almost made on page 15. Some statement giving the case for taking > notice of ICMP messages at all is in order. I guess the "statement" that you could get here (tcpm) is "responsiveness". -- with which I'd disagree, for many of the reasons stated in the draft, and because in many other cases it has been argued in this very wg that "tcp is supposed to be robust, it's not optimized for any scenario, etc.". Should I craft some text along the lines of "responsiveness"? > It might well be that an > appropriate control in certain cases would be to turn off ICMP hard > errors and rely on timeouts, I am thinking here of critical > infrastructure applications and communications between hosts running > BGP functions. Most (if not all) real-world implementations already do this. We have lived with this behaviour that you describe for the last..mm.. 20 years (or so) with BSDs... and there's no way that BSDs, or Linux, or Cisco, or whoever are going to change back their implementations to e.g. "resetting connections in response to ICMP hard errors". For instance, they have issued vulnerability advisories in this respect... > In particular I note that the draft says "It is interesting to note > that, as ICMP error messages are transmitted unreliably, transport > protocols should not depend on them for correct functioning." > > Given the extreme approach to security of starting from nothing and > only adding systems that are essential, this would seem to suggest > ICMP is not necessary and could be eliminated. Yes...except for ICMP "frag needed but DF bit set", which is needed for PMTUD. > There may be a case to > the contrary but it needs to be made before page 15. My take is "responsiveness". But I'll let the wg chime in. :-) > Page 15/16 > > The following phrase repeats in a way that suggests an editing oversight: > aborting the > connection would be to ignore the valuable feature of the Internet > that for many internal failures it reconstructs its function without > any disruption of the end points Sorry... I wasn't able to catch the "oversight" you refer to... :-( > Page 24-26 > > A more general way of describing the mitigation strategy would be to > point out the general principle that error messages may be ignored > whenever a packet indicating success is received within the timeout > window. In other words no final processing decisions should be made on > an unauthenticated ICMP packet until after the timeout window expires. Section 7.2 already states: " The described mechanism basically disregards ICMP messages when a connection makes progress, without violating any of the requirements stated in [RFC1191] and [RFC1981]." Please let me know if this text addresses your comment, or whether you think I should craft another paragraph mentioning that of "ignore messages whenever a packet indicating progress is received". Thanks! Kind regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
- [secdir] SECDIR REVIEW of draft-ietf-tcpm-icmp-at… Phillip Hallam-Baker
- Re: [secdir] [tcpm] SECDIR REVIEW of draft-ietf-t… Lars Eggert
- Re: [secdir] [tcpm] SECDIR REVIEW of draft-ietf-t… Joe Touch
- Re: [secdir] [tcpm] SECDIR REVIEW of draft-ietf-t… Joe Touch
- Re: [secdir] [tcpm] SECDIR REVIEW of draft-ietf-t… Anantha Ramaiah (ananth)
- Re: [secdir] SECDIR REVIEW of draft-ietf-tcpm-icm… Fernando Gont
- Re: [secdir] [tcpm] SECDIR REVIEW of draft-ietf-t… Fernando Gont
- Re: [secdir] [tcpm] SECDIR REVIEW of draft-ietf-t… Fernando Gont
- Re: [secdir] [tcpm] SECDIR REVIEW of draft-ietf-t… Joe Touch
- Re: [secdir] [tcpm] SECDIR REVIEW of draft-ietf-t… Anantha Ramaiah (ananth)
- Re: [secdir] [tcpm] SECDIR REVIEW of draft-ietf-t… Joe Touch
- Re: [secdir] [tcpm] SECDIR REVIEW of draft-ietf-t… Phillip Hallam-Baker
- Re: [secdir] [tcpm] SECDIR REVIEW of draft-ietf-t… Joe Touch