IETF Logo Mail Archive

Re: [tcpm] Congestion control in face of ICMP unreachable messages

Joe Touch <touch@ISI.EDU> Thu, 13 September 2007 03:01 UTC

Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IVexl-0004w2-UY; Wed, 12 Sep 2007 23:01:53 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IVexk-0004sj-Ov for tcpm@ietf.org; Wed, 12 Sep 2007 23:01:52 -0400
Received: from vapor.isi.edu ([128.9.64.64]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IVexj-0008Cf-Fq for tcpm@ietf.org; Wed, 12 Sep 2007 23:01:52 -0400
Received: from [127.0.0.1] (pool-71-106-89-188.lsanca.dsl-w.verizon.net [71.106.89.188]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id l8D31bjl021468; Wed, 12 Sep 2007 20:01:38 -0700 (PDT)
Message-ID: <46E8A7FE.6000404@isi.edu>
Date: Wed, 12 Sep 2007 20:01:18 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Daniel Schaffrath <daniel.schaffrath@mac.com>
Subject: Re: [tcpm] Congestion control in face of ICMP unreachable messages
References: <8B61F72F-2F75-4388-976F-9748F8784AB3@mac.com> <46C5CFA1.3090603@isi.edu> <443EB15A-FBED-4325-AD04-CCC39E989DDE@mac.com> <46E15C78.4080706@isi.edu> <15CFCCD8-0CDD-4033-9B83-7C42AEEDD88A@mac.com>
In-Reply-To: <15CFCCD8-0CDD-4033-9B83-7C42AEEDD88A@mac.com>
X-Enigmail-Version: 0.95.3
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6e922792024732fb1bb6f346e63517e4
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0163090937=="
Errors-To: tcpm-bounces@ietf.org

Hi, Daniel,

Daniel Schaffrath wrote:
> 
> On 2007/09/07  , at 16:13, Joe Touch wrote:
>> Daniel Schaffrath wrote:
>>> On 2007/08/17  , at 18:41, Joe Touch wrote:
>>>> AFAIK, congestion control response to in-band messages (ACKs) and
>>>> timeouts (implied loss, as TCP interprets it), as well as to some new
>>>> fields (ECN, etc.) which are carried in the same packets.
>>>>
>>>> Reactions to external congestion signals - ICMP source quench (which
>>>> has
>>>> been informally deprecated a while ago, but has not been documented as
>>>> such yet) or otherwise - would constitute another opportunity for a DOS
>>>> attack, and seem like a bad idea to encourage.
>>>
>>> I am note sure your security concerns really apply :) If the bad user
>>> controls the forwarding node, there is no need to rely on ICMP message
>>> to cause harm. Instead, just dropping random segments would do the job.
>>> If the bad user is off the forwarding node, she would need (as usual)
>>> guess port and sequence numbers.
>>
>> Only port numbers. Sequence numbers strictly don't matter for ICMPs.
> But that is under way, if I am not mistaken
> (draft-ietf-tcpm-icmp-attacks-02). And Linux for instance already
> implements it...

I've already spoken about this at previous IETFs and on this list. The
basic summary:
- the network is under no obligation to respond with ICMPs within one RTT
- as a result, checking to ensure that ICMPs are in-window is incorrect
as it will drop legitimate responses - or worse, interpret them as attacks

The fact that an I-D remains on this point and that Linux implements it
does not change the above.

>>> If she is able to guess right, she
>>> might as well opt to send forged ACK dupacks to cause harm, or for an
>>> ECN capable transport just one ECE marked ACK.
>>
>> ICMPs don't need to come from the endpoint IP address, i.e., address
>> verification will prevent spoofed ACKs, but cannot prevent ICMPs, since
>> the latter need not have spoofed source addresses.
>
> Ok, but if a router is (potentially) able to check for spoofed IP source
> addresses it could as well check for spoofed/illegal ICMP payloads
> (which contain both IP addresses) . Isn't that true?

Routers can check for spoofed addresses as they enter protected regions
of the Internet; if there's a hole in that 'fence' however, packets can
leak in. Once in, they can't necessarily be checked for spoofed
addresses unless they're authenticated, and most are not.

> Apart from that: how common is it to drop spoofed datagrams? It's
> probably a idealistic assumption, isn't it?

In general, yes. You can't assume that spoofed packets are dropped.

Joe

-- 
----------------------------------------------------------------------
Joe Touch                Sr. Network Engineer, USAF TSAT Space Segment
               Postel Center Director & Research Assoc. Prof., USC/ISI


_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email