Re: [tcpm] ICMP attacks draft (issue 1): hard errors -> soft errors (in synchronized states)
Fernando Gont <fernando@gont.com.ar> Fri, 30 September 2005 19:01 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELQ8q-00089T-Pm; Fri, 30 Sep 2005 15:01:56 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELQ8p-00087j-5C for tcpm@megatron.ietf.org; Fri, 30 Sep 2005 15:01:55 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA29520 for <tcpm@ietf.org>; Fri, 30 Sep 2005 15:01:53 -0400 (EDT)
Received: from server.frh.utn.edu.ar ([170.210.17.146] ident=qmailr) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ELQGi-0006Wc-4D for tcpm@ietf.org; Fri, 30 Sep 2005 15:10:06 -0400
Received: (qmail 6799 invoked from network); 30 Sep 2005 19:01:03 -0000
Received: from unknown (HELO fgont.gont.com.ar) (gont-fernando@10.0.10.7) by server.frh.utn.edu.ar with SMTP; 30 Sep 2005 19:01:03 -0000
Message-Id: <6.2.0.14.0.20050930155718.05963118@pop.frh.utn.edu.ar>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14
Date: Fri, 30 Sep 2005 16:01:31 -0300
To: Joe Touch <touch@ISI.EDU>
From: Fernando Gont <fernando@gont.com.ar>
Subject: Re: [tcpm] ICMP attacks draft (issue 1): hard errors -> soft errors (in synchronized states)
In-Reply-To: <433D85BD.4020204@isi.edu>
References: <6.2.0.14.0.20050923075214.0428faa8@pop.frh.utn.edu.ar> <433411E2.3020005@isi.edu> <6.2.0.14.0.20050923125332.04320008@pop.frh.utn.edu.ar> <20050923165017.GD10959@pun.isi.edu> <6.2.0.14.0.20050927015438.07c2a418@pop.frh.utn.edu.ar> <20050930174011.GK999@pun.isi.edu> <6.2.0.14.0.20050930150854.0592eee0@pop.frh.utn.edu.ar> <433D85BD.4020204@isi.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 538aad3a3c4f01d8b6a6477ca4248793
Cc: tcpm@ietf.org, Ted Faber <faber@ISI.EDU>
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
At 03:36 p.m. 30/09/2005, Joe Touch wrote: > >> Joe's described a > >> situation (that consists of many different possible causes) where > >> listening to that ICMP is perfectly reasonable. > >> An application's always welcome to shoot itself from TCP's perspective. > > > > I mean that even when you treat the hard error as soft error, you still > > notify it to the application. The application can, upon this > > notification, cause the connection to be aborted. > >FWIW, the application can't do much with ICMPs it didn't expect to be >notified about. So this change requires not only a change to TCP, but a >change to every application that might be affected. That's worth noting >(if not reconsidering the implications of). Strictly speaking, here should be a way to notify applications of the received ICMP messages (as per RFC1122). Yes, in practice this would mean that applications should be modified. What I mean is that, in the event you still want to abort a connection upon receipt of an ICMP message, you can do so at the application layer, when you are notified (if you have decided to) of the received ICMP messages. > >> If you've got questions about the motivations for and support of > >> tcpsecure, there's no need to be coy - no need to make such comments > >> conditionally. :-) > >> > >> Right now, it sounds like the answer to your question is "yes, the WG > >> supports the tcp secure changes, independently of the changes proposed > >> here." > > > > My argument is: Why would an attacker bother to guess a TCP sequence > > number, when it can reset a conenction much more trivially by means of > > ICMP? > > > > "The strength of a chain is that of the weakest link", I mean. > >But TCP-antispoof explains that the chain is already sufficiently weak >in many cases even if you try to fix ICMP. It's weak. But we are making it weaker unnecessarily. -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] ICMP attacks draft (issue 1): hard errors … Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Ted Faber
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Lloyd Wood
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Jakob Heitz
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Ted Faber
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Lloyd Wood
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Ted Faber
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Ted Faber
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Ted Faber
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- tcpm-antispoof and TCP's weakness [Re: [tcpm] ICM… Pekka Savola
- Re: tcpm-antispoof and TCP's weakness [Re: [tcpm]… Joe Touch
- Re: tcpm-antispoof and TCP's weakness [Re: [tcpm]… Pekka Savola