IETF Logo Mail Archive

Re: [tcpm] ICMP attacks draft

Fernando Gont <fernando@gont.com.ar> Wed, 19 July 2006 06:37 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G35gO-0001lk-OO; Wed, 19 Jul 2006 02:37:20 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G35gM-0001lf-W9 for tcpm@ietf.org; Wed, 19 Jul 2006 02:37:18 -0400
Received: from venus.xmundo.net ([201.216.232.56]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G35gK-0000ZT-C4 for tcpm@ietf.org; Wed, 19 Jul 2006 02:37:18 -0400
Received: from fgont.gont.com.ar (171-180-231-201.fibertel.com.ar [201.231.180.171]) (authenticated bits=0) by venus.xmundo.net (8.12.11/8.12.11) with ESMTP id k6J6alYR026419; Wed, 19 Jul 2006 03:37:14 -0300
Message-Id: <7.0.1.0.0.20060719031923.04a637f0@gont.com.ar>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0
Date: Wed, 19 Jul 2006 03:26:37 -0300
To: Joe Touch <touch@ISI.EDU>
From: Fernando Gont <fernando@gont.com.ar>
Subject: Re: [tcpm] ICMP attacks draft
In-Reply-To: <44BD7441.9050206@isi.edu>
References: <0C53DCFB700D144284A584F54711EC5801D9592B@xmb-sjc-21c.amer.cisco.com> <7.0.1.0.0.20060715153423.08601b58@gont.com.ar> <44BB1882.6030904@isi.edu> <7.0.1.0.0.20060717052818.064b28b8@gont.com.ar> <44BCE4FA.1050602@isi.edu> <7.0.1.0.0.20060718160252.066880d8@gont.com.ar> <44BD514C.2090704@isi.edu> <7.0.1.0.0.20060718192327.0427b290@gont.com.ar> <44BD7441.9050206@isi.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.1 (/)
X-Scan-Signature: a7d6aff76b15f3f56fcb94490e1052e4
Cc: tcpm@ietf.org, "Anantha Ramaiah (ananth)" <ananth@cisco.com>
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org

At 20:52 18/07/2006, Joe Touch wrote:

> > * The condition for all the so-called hard errors to be treated as soft
> > errors is that the conenction must be in any of the synchronized states.
> > * The reason for not honoring the SHOULD is that in hostile
> > environments, its an attack vector that is easier to perform than
> > others. (I will note the ambiguity in the case of port unreachables)
> > * The good thing of the change is that it mitigates the above threat,
> > and also improves TCP's robustness in the case of multipath scenarios.
>
>I agree with these. It would also be useful to add - to the last one -
>that this *changes* how TCP would behave in multipath scenarios and/or
>path changes, which *may* make TCP less likely to _correctly_ rapidly
>disconnect from a session when a routing change occurs that disconnects
>endpoints.
>
>(i.e., there are cases that this might not be the best choice; trading
>robustness for reactiveness to failure is typical, but not always the
>only choice).

I understand what you mean. However, the message codes to which we 
are changing from hard to soft errors (protocol unreachable and port 
unreachable) are not the ones that would reflect a routing change.

In the case of ICMP frag needed (if TCP does not implement PMTUD), it 
might be an indication of a routing change. Although implementing TCP 
without PMTUD, and at the same time setting the DF bit in the packets 
seems to me, at the very least, very weird.

Or am I missing something?

Kindest regards,

--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1






_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email