Re: [tcpm] WG Last Call for ICMP Attacks
Joe Touch <touch@ISI.EDU> Wed, 02 September 2009 23:05 UTC
Return-Path: <touch@ISI.EDU>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C286228C328 for <tcpm@core3.amsl.com>; Wed, 2 Sep 2009 16:05:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id txCa0qPpYIws for <tcpm@core3.amsl.com>; Wed, 2 Sep 2009 16:05:49 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id CA8143A6EDF for <tcpm@ietf.org>; Wed, 2 Sep 2009 16:05:49 -0700 (PDT)
Received: from [75.213.81.255] ([75.213.81.255]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n82N5AwG013366 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 2 Sep 2009 16:05:12 -0700 (PDT)
Message-ID: <4A9EFA25.8080203@isi.edu>
Date: Wed, 02 Sep 2009 16:05:09 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: "Smith, Donald" <Donald.Smith@qwest.com>
References: <F1534040-EA0D-44E4-98F7-67C24CD12CCF@windriver.com> <B01905DA0C7CDC478F42870679DF0F1005B64E383D@qtdenexmbm24.AD.QINTRA.COM> <4A9EDEDD.2030308@isi.edu> <B01905DA0C7CDC478F42870679DF0F1005B64E385A@qtdenexmbm24.AD.QINTRA.COM>
In-Reply-To: <B01905DA0C7CDC478F42870679DF0F1005B64E385A@qtdenexmbm24.AD.QINTRA.COM>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: 'tcpm Extensions WG' <tcpm@ietf.org>, 'David Borman' <david.borman@windriver.com>
Subject: Re: [tcpm] WG Last Call for ICMP Attacks
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2009 23:05:50 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Smith, Donald wrote: ... > "ICMP packet with falsified content" would be a good description. Sounds better to me. Joe >> -----Original Message----- >> From: Joe Touch [mailto:touch@ISI.EDU] >> Sent: Wednesday, September 02, 2009 3:09 PM >> To: Smith, Donald >> Cc: 'David Borman'; 'tcpm Extensions WG' >> Subject: Re: [tcpm] WG Last Call for ICMP Attacks >> > > > Smith, Donald wrote: >>>> 1. >>>> ICMP [RFC0792] is a fundamental part of the TCP/IP protocol suite, >>>> and is used mainly for reporting network error conditions. >>>> >>>> ICMP is part of the IP protocol suite. >>>> >>>> 2.2 >>>> Therefore, in the case of TCP, an attacker could send a forged ICMP >>>> message to the attacked system, and, as long as he is > able to guess >>>> the four-tuple (i.e., Source IP Address, Source TCP > port, Destination >>>> IP Address, and Destination TCP port) that identifies the >>>> communication instance to be attacked, he will be able > to use ICMP to >>>> perform a variety of attacks. >>>> >>>> Forged usually implies that source ip address has been > spoofed usually to come from some type of trusted host. >>>> Crafted is the term generally used to mean the packets > contents (not header) were modified. >>>> In this case there is no need to spoof the source ip > address as the end host has no knowledge about the routers in > between them and the end host system. So I recommend you > change forged to crafted. > > I've not heard that there was such clarity on the term forged or > crafted, but neither is the case here. > > The attacker emits an ICMP message. It doesn't need a > falsified header. > It doesn't need to be a "modified" packet. E.g., it can be > created based > on information seen on the media. > > It might just be called a "false ICMP message", i.e., it's > reporting an > event that didn't happen. > > Joe >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqe+iUACgkQE5f5cImnZrs8RQCfVKb2M78n3eZfy32Fy3gpq6Jv V5sAoOu3p+aLhut9Nsx0I6t4BWbDUJbD =xri6 -----END PGP SIGNATURE-----
- [tcpm] WG Last Call for ICMP Attacks David Borman
- Re: [tcpm] WG Last Call for ICMP Attacks Smith, Donald
- Re: [tcpm] WG Last Call for ICMP Attacks Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks Smith, Donald
- Re: [tcpm] WG Last Call for ICMP Attacks Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks Fernando Gont
- Re: [tcpm] WG Last Call for ICMP Attacks toby.moncaster
- Re: [tcpm] WG Last Call for ICMP Attacks Fernando Gont
- Re: [tcpm] WG Last Call for ICMP Attacks Smith, Donald
- Re: [tcpm] WG Last Call for ICMP Attacks Fernando Gont
- Re: [tcpm] WG Last Call for ICMP Attacks Smith, Donald
- Re: [tcpm] WG Last Call for ICMP Attacks Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks Fernando Gont
- Re: [tcpm] WG Last Call for ICMP Attacks Lars Eggert
- Re: [tcpm] WG Last Call for ICMP Attacks Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks Carlos Pignataro
- Re: [tcpm] WG Last Call for ICMP Attacks Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks Carlos Pignataro
- Re: [tcpm] WG Last Call for ICMP Attacks Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks Carlos Pignataro
- Re: [tcpm] WG Last Call for ICMP Attacks Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks Anantha Ramaiah (ananth)
- Re: [tcpm] WG Last Call for ICMP Attacks Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks Fernando Gont