Re: [tcpm] Congestion control in face of ICMP unreachable messages
Daniel Schaffrath <daniel.schaffrath@mac.com> Wed, 12 September 2007 18:23 UTC
Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IVWsO-0006j9-V7; Wed, 12 Sep 2007 14:23:48 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IVWsN-0006iX-Fj for tcpm@ietf.org; Wed, 12 Sep 2007 14:23:47 -0400
Received: from smtpoutm.mac.com ([17.148.16.78]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IVWsM-0006Lp-2o for tcpm@ietf.org; Wed, 12 Sep 2007 14:23:47 -0400
Received: from mac.com (smtpin08-en2 [10.13.10.153]) by smtpoutm.mac.com (Xserve/smtpout015/MantshX 4.0) with ESMTP id l8CINjhE011781; Wed, 12 Sep 2007 11:23:45 -0700 (PDT)
Received: from [137.226.12.157] (dhcp157.informatik.rwth-aachen.de [137.226.12.157]) (authenticated bits=0) by mac.com (Xserve/smtpin08/MantshX 4.0) with ESMTP id l8CINf0E016332 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 12 Sep 2007 11:23:43 -0700 (PDT)
In-Reply-To: <46E15C78.4080706@isi.edu>
References: <8B61F72F-2F75-4388-976F-9748F8784AB3@mac.com> <46C5CFA1.3090603@isi.edu> <443EB15A-FBED-4325-AD04-CCC39E989DDE@mac.com> <46E15C78.4080706@isi.edu>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <15CFCCD8-0CDD-4033-9B83-7C42AEEDD88A@mac.com>
Content-Transfer-Encoding: 7bit
From: Daniel Schaffrath <daniel.schaffrath@mac.com>
Subject: Re: [tcpm] Congestion control in face of ICMP unreachable messages
Date: Wed, 12 Sep 2007 20:23:27 +0200
To: Joe Touch <touch@ISI.EDU>
X-Mailer: Apple Mail (2.752.3)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org
On 2007/09/07 , at 16:13, Joe Touch wrote: > Daniel Schaffrath wrote: >> On 2007/08/17 , at 18:41, Joe Touch wrote: >>> AFAIK, congestion control response to in-band messages (ACKs) and >>> timeouts (implied loss, as TCP interprets it), as well as to some >>> new >>> fields (ECN, etc.) which are carried in the same packets. >>> >>> Reactions to external congestion signals - ICMP source quench >>> (which has >>> been informally deprecated a while ago, but has not been >>> documented as >>> such yet) or otherwise - would constitute another opportunity for >>> a DOS >>> attack, and seem like a bad idea to encourage. >> >> I am note sure your security concerns really apply :) If the bad user >> controls the forwarding node, there is no need to rely on ICMP >> message >> to cause harm. Instead, just dropping random segments would do the >> job. >> If the bad user is off the forwarding node, she would need (as usual) >> guess port and sequence numbers. > > Only port numbers. Sequence numbers strictly don't matter for ICMPs. But that is under way, if I am not mistaken (draft-ietf-tcpm-icmp- attacks-02). And Linux for instance already implements it... >> If she is able to guess right, she >> might as well opt to send forged ACK dupacks to cause harm, or for an >> ECN capable transport just one ECE marked ACK. > > ICMPs don't need to come from the endpoint IP address, i.e., address > verification will prevent spoofed ACKs, but cannot prevent ICMPs, > since > the latter need not have spoofed source addresses. Ok, but if a router is (potentially) able to check for spoofed IP source addresses it could as well check for spoofed/illegal ICMP payloads (which contain both IP addresses) . Isn't that true? Apart from that: how common is it to drop spoofed datagrams? It's probably a idealistic assumption, isn't it? [...] Thank you, Daniel Schaffrath _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] Congestion control in face of ICMP unreach… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Ted Faber
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Ted Faber
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Ted Faber
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Ted Faber