Re: [tcpm] feedcback on tcp-secure-05
Joe Touch <touch@ISI.EDU> Tue, 18 July 2006 13:34 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G2pi5-0005iW-0l; Tue, 18 Jul 2006 09:34:01 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G2pi3-0005iR-AA for tcpm@ietf.org; Tue, 18 Jul 2006 09:33:59 -0400
Received: from vapor.isi.edu ([128.9.64.64]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G2pi1-000183-Ri for tcpm@ietf.org; Tue, 18 Jul 2006 09:33:59 -0400
Received: from [192.168.1.42] (pool-71-106-102-77.lsanca.dsl-w.verizon.net [71.106.102.77]) by vapor.isi.edu (8.11.6p2+0917/8.11.2) with ESMTP id k6IDXOH08095; Tue, 18 Jul 2006 06:33:24 -0700 (PDT)
Message-ID: <44BCE318.9060104@isi.edu>
Date: Tue, 18 Jul 2006 06:33:12 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
MIME-Version: 1.0
To: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
Subject: Re: [tcpm] feedcback on tcp-secure-05
References: <0C53DCFB700D144284A584F54711EC5801DF8827@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <0C53DCFB700D144284A584F54711EC5801DF8827@xmb-sjc-21c.amer.cisco.com>
X-Enigmail-Version: 0.94.0.0
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 827a2a57ca7ab0837847220f447e8d56
Cc: tcpm@ietf.org, Fernando Gont <fernando@gont.com.ar>
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0884714396=="
Errors-To: tcpm-bounces@ietf.org
Anantha Ramaiah (ananth) wrote: > > >> -----Original Message----- >> From: Joe Touch [mailto:touch@ISI.EDU] >> Sent: Monday, July 17, 2006 7:31 AM >> To: Anantha Ramaiah (ananth) >> Cc: Fernando Gont; tcpm@ietf.org >> Subject: Re: [tcpm] feedcback on tcp-secure-05 >> >> >> >> Anantha Ramaiah (ananth) wrote: >> .. >>> Another point to note is that TCP SHOULD act (not a MUST) on ICMP >>> reported hard errors. Also in some cases like "port >> unreachable" can >>> be ignored since TCP uses the RST for the purpose of port >> unreachability. >>> This is as per RFC 1122. >> 1122 actually states exactly the opposite: >> >> A transport protocol >> that has its own mechanism for notifying the sender that a >> port is unreachable (e.g., TCP, which sends RST segments) >> MUST nevertheless accept an ICMP Port Unreachable for the >> same purpose. > > Yep, I stand corrected but one of main points above was to point out the > SHOULD language (which makes sense) instead of MUST. So you're changing 1122? That needs to be highlighted. >>> - Some applications would chose to ignore the so called hard errors >>> for a TCP connection. In other words the behaviour can be >> controlled >>> by a CLI and the default would be to ignore this hard >> errors. So the >>> connection reset wouldn't happen. >> The default SHOULD be to act on hard errors unless overridden >> by the application; to do otherwise would be to redefine 1122 >> in this regard. > > Going neutral here, since the systems which I have worked do ignore them > by default and it isn't an RFC voilation. > > As per RFC 2119 : > > "3. SHOULD This word, or the adjective "RECOMMENDED", mean that there > may exist valid reasons in particular circumstances to ignore a > particular item, but the full implications must be understood and > carefully weighed before choosing a different course." > > Most of the applications would like to have a say in the treatment of > ICMP errors by requesting the errors to be passed to it and then > determine the course of action to take. For the ICMP hard errors > described, the action generally doesn't result in connection closure and > also some applications don't even register for some of the hard errors > and also expect TCP not to close the connection instead silently ignore > them 1122 fairly directly indicates that ICMP port unreachable MUST be handled exactly as a RST ("accept for the same purpose"). A SHOULD would be a change to that, and needs to be highlighted as a change to 1122. Further, as you note above, negating a should implies that the document indicate the "particular circumstances" that apply. The doc doesn't currently discuss interpreting violating messages as an attack and after a threshold is reached THEN negating the SHOULD. That's key. > Actually application or TCP level keepalives or retransmission timeouts > act as a catalyst for the connection closure generally and not ICMP > errors. But YMMV and I do not intend to argue on this point. Just > stating my experience. > >> ... >>> I guess my point is ICMP attacks may be a weakest link, but >> wouldn't >>> cause connection resets with proper installed workarounds in place. >>> Yes, I mean without voilating the current RFC's. >> Those workarounds MUST be in place, or they ARE the weakest >> link. That's the point that this document must discuss at least. > > I don't think that tcpsecure document should discuss these workarounds > or advise anything of that sort. It is always good to keep the scope of > the document right and tight. "right and tight" isn't a justification for not discussing the "particular circumstances" above. >>> Also with or without ICMP mitigations in place, one could >> still cause >>> a TCP connection to RESET, if the mitigations described in >> tcp-secure >>> isn't present. >> Without ICMP protection, why bother with a RST when the ICMP >> is _easier_ to generate? > > Easier to generate but workarounds can be planted if necessary like I > have described in earlier emails. On the other hand there aren't any > known "generic workarounds" available for the issues described in > tcp-secure. I say generic workarounds since MD5 is used only by a > handful of applications like BGP, LDP and is a costly workaround and > > Anyways just to summarize : > > The tcp-secure document, can, at the most state something informative > like "ICMP attacks aren't covered in this document blah blah..." and > provide a pointer to the icmp draft if needed. > > To suggest about blocking ICMP etc., calls for stretching too far the > scope of the doc and also it introduces obvious incompleteness. I'm not going to debate this further. I'll be glad to note the omission to the Security AD; if they think this doc is useful without it, fine. > What if > somebody wants to provide some pointer and suggest some > blocking/mitigation mechanisms for something else..? I see no end to > this that way.. > > Agree/dis-agree ? > > :) > -Anantha >> Joe >> >>
_______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05 Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Ted Faber
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Mitesh Dalal (mdalal)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch
- Re: [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch