[tcpm] Alfred Hoenes: draft-ietf-tcpm-icmp-attacks-01 (etc.)
Fernando Gont <fernando@gont.com.ar> Sat, 10 February 2007 22:39 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HG0sp-0006Te-40; Sat, 10 Feb 2007 17:39:51 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HG0sn-0006TL-OE for tcpm@ietf.org; Sat, 10 Feb 2007 17:39:49 -0500
Received: from smtp1.xmundo.net ([201.216.232.80]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HG0sk-0006hv-WF for tcpm@ietf.org; Sat, 10 Feb 2007 17:39:49 -0500
Received: from venus.xmundo.net (venus.xmundo.net [201.216.232.56]) by smtp1.xmundo.net (Postfix) with ESMTP id BA03D115BAB4 for <tcpm@ietf.org>; Sat, 10 Feb 2007 19:39:33 -0300 (ART)
Received: from fgont.gont.com.ar (157-184-231-201.fibertel.com.ar [201.231.184.157]) (authenticated bits=0) by venus.xmundo.net (8.12.11.20060308/8.12.11) with ESMTP id l1AMdRSb012723 for <tcpm@ietf.org>; Sat, 10 Feb 2007 19:39:31 -0300
Message-Id: <7.0.1.0.0.20070210172217.0a209320@gont.com.ar>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0
Date: Sat, 10 Feb 2007 17:23:43 -0300
To: tcpm@ietf.org
From: Fernando Gont <fernando@gont.com.ar>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-2.0.2 (venus.xmundo.net [201.216.232.56]); Sat, 10 Feb 2007 19:39:33 -0300 (ART)
X-Spam-Score: 0.1 (/)
X-Scan-Signature: ebd5ffc455fd7bcccba963126e1cf1f5
Subject: [tcpm] Alfred Hoenes: draft-ietf-tcpm-icmp-attacks-01 (etc.)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org
Folks, I received this feedback from Alfred Hoenes. I will most my answers soon. >From: Alfred =?hp-roman8?B?SM5uZXM=?= <ah@tr-sys.de> >Subject: draft-ietf-tcpm-icmp-attacks-01 (etc.) >To: fernando@gont.com.ar >Date: Wed, 10 Jan 2007 01:10:02 +0100 (MEZ) > >Hello, >after studying your I-D, draft-ietf-tcpm-icmp-attacks-01, >I would like to send you e few comments pointing out (mostly) >textual issues I found in that draft (and in a related note >you have posted). > >After reading your exposition, I really wonder why these issues, >and the countermeasures against, have not been discovered already >many years ago -- such clear is the threat, und such logical seem >the remedies! > >Here are the textual issues I found in the draft, documented as: > > <original text> >--- > <proposed/changed text> > >I use change bars ('|' in column 1) and occasionally >up/down pointing marker lines ('^^^'/'vvv') to emphasize >the location of textual issues and/or proposed corrections. >All snippits are taken preserving the original identation >and formatting; modified text has been re-adjusted to match >I-D / RFC formatting rules, where appropriate. > > >(1) Section 1: > >In the first paragraph: > > ICMP [RFC0792] is a fundamental part of the TCP/IP protocol suite, > and is used mainly for reporting network error conditions. However, > the current specifications do not recommend any kind of validation >| checks on the received ICMP error messages, thus allowing variety of > attacks against TCP [RFC0793] by means of ICMP, which include blind > connection-reset, blind throughput-reduction, and blind performance- > degrading attacks. All of these attacks can be performed even being > off-path, without the need to sniff the packets that correspond to > the attacked TCP connection. >--- > ICMP [RFC0792] is a fundamental part of the TCP/IP protocol suite, > and is used mainly for reporting network error conditions. However, > the current specifications do not recommend any kind of validation >| checks on the received ICMP error messages, thus allowing a variety > of attacks against TCP [RFC0793] by means of ICMP, which include > blind connection-reset, blind throughput-reduction, and blind > performance-degrading attacks. All of these attacks can be performed > even being off-path, without the need to sniff the packets that > correspond to the attacked TCP connection. > >(2) Section 2.2 > >(2a) >In the 4th paragraph, there's the first occurrence of an 'unsatisfied' >reference tag (see marked line below): [Touch-antispoof] >This same tag recurs in the last sentence of Section 4.1, but it does >*not* appear in the References sections. > >I guess (after browsing the I-D index) that it should be: > draft-ietf-tcpm-tcp-antispoof-05 > >Please add the appropriate bibliographic entry to Section 10.2 > >(2b) >In the same paragraph, there's a typo (singular/plural mismatch): > > Generally, the four-tuple required to perform these attacks is not >| known. However, as discussed in [Watson] and [Touch-antispoof], > there are a number of scenarios (notably that of TCP connections > established between two BGP routers), in which an attacker may be > able to know or guess the four-tuple that identifies a TCP > connection. In such a case, if we assume the attacker knows the two > systems involved in the TCP connection to be attacked, both the > client-side and the server-side IP addresses could be known or be > within a reasonable number of possibilities. Furthermore, as most > Internet services use the so-called "well-known" ports, only the >| client port number might need to be guessed. In such a scenario, an > attacker would need to send, in principle, at most 65536 packets to > perform any of the attacks described in this document. However, as > most systems choose the port numbers they use for outgoing > connections from a subset of the whole port number space, the amount > of packets needed to successfully perform any of the attacks > discussed in this document could be further reduced. >--- > Generally, the four-tuple required to perform these attacks is not > known. However, as discussed in [Watson] and [Touch-antispoof], > there are a number of scenarios (notably that of TCP connections > established between two BGP routers), in which an attacker may be > able to know or guess the four-tuple that identifies a TCP > connection. In such a case, if we assume the attacker knows the two > systems involved in the TCP connection to be attacked, both the > client-side and the server-side IP addresses could be known or be > within a reasonable number of possibilities. Furthermore, as most > Internet services use the so-called "well-known" ports, only the >| client port number might needs to be guessed. In such a scenario, an > attacker would need to send, in principle, at most 65536 packets to > perform any of the attacks described in this document. However, as > most systems choose the port numbers they use for outgoing > connections from a subset of the whole port number space, the amount > of packets needed to successfully perform any of the attacks > discussed in this document could be further reduced. > >(3) Section 2.3 > >In the first paragraph, there's a typo (missing "of"), and a sentence >with two verbs. I guess the "receives" should be deleted in favour of >the "is": > >| Section 5.2 of [RFC4301] describes the processing inbound IP Traffic > in the case of "unprotected-to-protected". In the case of ICMP, when > an unprotected ICMP error message is received, it is matched to the > corresponding security association by means of the SPI (Security > Parameters Index) included in the payload of the ICMP error message. > Then, local policy is applied to determine whether to accept or > reject the message and, if accepted, what action to take as a result. > For example, if an ICMP unreachable message is received, the > implementation must decide whether to act on it, reject it, or act on > it with constraints. Section 8 ("Path MTU/DF processing") discusses > the processing of unauthenticated ICMP "fragmentation needed and DF > bit set" (type 3, code 3) and ICMPv6 "Packet Too Big" (type 2, code >| 0) messages when an IPsec implementation receives is configured to > process (vs. ignore) such messages. >--- >| Section 5.2 of [RFC4301] describes the processing of inbound IP > Traffic in the case of "unprotected-to-protected". In the case of > ICMP, when an unprotected ICMP error message is received, it is > matched to the corresponding security association by means of the SPI > (Security Parameters Index) included in the payload of the ICMP error > message. Then, local policy is applied to determine whether to > accept or reject the message and, if accepted, what action to take as > a result. For example, if an ICMP unreachable message is received, > the implementation must decide whether to act on it, reject it, or > act on it with constraints. Section 8 ("Path MTU/DF processing") > discusses the processing of unauthenticated ICMP "fragmentation > needed and DF bit set" (type 3, code 3) and ICMPv6 "Packet Too Big" >| (type 2, code 0) messages when an IPsec implementation is configured > to process (vs. ignore) such messages. > >(4) Section 5.2 > >I did not understand the last sentence in that (single) paragraph >there, until I finally arrived at guesssing that the word "advice" >perhaps should be deleted. > > [...]. Given the > hostile environments in which TCP currently operates in, and that >| advice ICMP provides an attack vector that is easier to exploit than > others (such as those discussed in [I-D.ietf-tcpm-tcpsecure]), we > believe that the improvements in TCP's resistance to these attacks > justify not taking the advice provided by the "SHOULDs" in [RFC1122]. >--- > [...]. Given the > hostile environments in which TCP currently operates in, and that >| ICMP provides an attack vector that is easier to exploit than others > (such as those discussed in [I-D.ietf-tcpm-tcpsecure]), we believe > that the improvements in TCP's resistance to these attacks justify > not taking the advice provided by the "SHOULDs" in [RFC1122]. > >(5) Section 5.2.1 > >(5a) >In the first paragraph, the wording should be improved: > > An analysis of the circumstances in which ICMP messages that indicate >| hard errors may be received can shed some light to eliminate the > impact of ICMP-based blind connection-reset attacks. >--- > An analysis of the circumstances in which ICMP messages that indicate >| hard errors may be received can shed some light on how to eliminate > the impact of ICMP-based blind connection-reset attacks. > >(5b) >In the discussion of the > > ICMPv6 type 1 (Destination Unreachable), code 1 (communication with > destination administratively prohibited) > >there is a sentence that did not make sense to me; maybe it does not >even say what you wanted to say : > > [...] However, there is no reason to think that in > the same way this error condition appeared, it will not get solved > in the near term. [...] > >I guess it was intended to state something like: > > In real life, this error condition will appear > very rarely; if it persists, it will be handled correctly after the > ensuing ACK timeout. > >(5b) >In the paragraph after the five ICMP message type explanations (this is >the 5th-to-last paragraph of the section), there are two sentences with >two verbs each: "is" + "is" , and "are" + "indicate" , respectively: > > Therefore, when following the reasoning explained above, TCPs in > synchronized states would treat all of the above messages as > indicating "soft errors", rather than "hard errors", and thus would >| not abort the corresponding connection upon receipt of them. This is > policy is based on the premise that TCP should be as robust as > possible. Reaction to these messages when they are meant for > connections in non-synchronized states could still remain as adviced > by [RFC1122], as we consider the attack window for connections in the > non-synchronized states is very small, and error messages received in >| these states are more likely indicate that the connection was opened > improperly [RFC0816]. Additionally, for the sake of robustness and > security, those implementations following the reasoning explained in > this section would not extrapolate ICMP errors across TCP > connections. >--- > Therefore, when following the reasoning explained above, TCPs in > synchronized states would treat all of the above messages as > indicating "soft errors", rather than "hard errors", and thus would >| not abort the corresponding connection upon receipt of them. This > policy is based on the premise that TCP should be as robust as > possible. Reaction to these messages when they are meant for > connections in non-synchronized states could still remain as adviced > by [RFC1122], as we consider the attack window for connections in the > non-synchronized states is very small, and error messages received in >| these states more likely indicate that the connection was opened > improperly [RFC0816]. Additionally, for the sake of robustness and > security, those implementations following the reasoning explained in > this section would not extrapolate ICMP errors across TCP > connections. > >(5c) >In the subsequent paragraph, the above 'magic' sentence recurs in >slightly modified form: > > In case the received message were legitimate, it would mean that the > error condition appeared during the life of the corresponding >| connection. However, in many scenarios there is no reason to think >| that in the same way this error condition appeared, it will not get >| solved in the near term. [...] > >"there is no reason to think that ... it will not get solved ..." >just contains too many negations. This sentence might be replaced >in a similar way as proposed above. > >(5d) >Stepping ahead, in the next paragraph (3rd-to-last in the Section), >the wording should preferrably be improved: > >| One scenario in which a host would benefit from treating the so- > called ICMP "hard errors" as "soft errors" would be that in which the > packets that correspond to a given TCP connection are routed along > multiple different paths. [...] >--- >| Another scenario in which a host would benefit from treating the so- > called ICMP "hard errors" as "soft errors" would be that in which the > packets that correspond to a given TCP connection are routed along > multiple different paths. [...] > >(5e) >The next paragraph deals with ignored error messages and out-of-band >signalling of error conditions. Therefore, "received error messages" >should better be replaced by just "error conditions" : > > It is interesting to note that, as ICMP error messages are > unreliable, transport protocols should not depend on them for correct > functioning. In the event one of these messages were legitimate, the > corresponding connection would eventually time out. Also, >| applications may still be notified asynchronously about the received >| error messages, and thus may still abort their connections on their > own if they consider it appropriate. >--- > It is interesting to note that, as ICMP error messages are > unreliable, transport protocols should not depend on them for correct > functioning. In the event one of these messages were legitimate, the > corresponding connection would eventually time out. Also, >| applications may still be notified asynchronously about the error >| conditions, and thus may still abort their connections on their own > if they consider it appropriate. > >[ In place of "error conditions", you might prefer "error condition", > "errors", or "error" . ] > >(6) Section 5.2.3 > >(6a) >As in (5e) above (including the note), in the first paragraph: > > [...]. It should also be noted that applications may >| still be notified asynchronously about the received error messages, > and thus may still abort their connections on their own if they > consider it appropriate. >--- > [...]. It should also be noted that applications may >| still be notified asynchronously about the error conditions, and thus > may still abort their connections on their own if they consider it > appropriate. > >(6b) >And again, in the second paragraph: > > [...]. Additionally, applications may still be notified >| asynchronously about the received error messages, and thus may still > abort their connections on their own if they consider it appropriate. >--- > [...]. Additionally, applications may still be notified >| asynchronously about the error conditions, and thus may still > abort their connections on their own if they consider it appropriate. > >(7) Section 6.1 > >At the end of the (single) paragraph, add the missing article, "an": > >| [...]. The throughput achieved during attack might be a > little higher if a larger initial congestion window is in use > [RFC3390]. >--- >| [...]. The throughput achieved during an attack might be > a little higher if a larger initial congestion window is in use > [RFC3390]. > >(8) Section 7.1 > >I propose a textual enhancement in the 5th paragraph. >IMHO, the referred to "IRQ ... rate" problem is only one face of the >whole story. Below, I substitute "protocol processing time" for that >(you might also add it, as "IRQ ... rate and protocol processing time"). > > [...]. On >| virtually all systems this will lead to an increase in the IRQ >| (Interrrupt ReQuest) rate, thus increasing processor utilization, and > degrading the overall system performance. >--- > [...]. On >| virtually all systems this will lead to an increase in the protocol >| processing time, thus increasing processor utilization, and degrading > the overall system performance. > >(9) Section 7.2 > >(9a) >In the classification performed: > > To achieve both goals, we can divide the traditional PMTUD mechanism > into two stages: Initial Path-MTU Discovery, and Path-MTU Update. > >the latter apparently is intended to deal with PMTU reduction only, >as can be seen from the subsequent discussion. > >IMHO, that has one serious drawback: it does not cover the "probing >for PMTU increase" described in the third paragraph of Section 3 of >RFC 1191, intended to discover effective PMTU introduced by routing >changes. I'm not sure whether this procedure is handled gracefully >by your algorithm -- but I might err here; I just do not have enough >spare time to delve into performing 'mental simulation' for that >scenario now. Please check. > >In any case, I would appreciate an extended discussion clearly >covering this third case, throughout Section 7.2, and perhaps also >an addition to Appendix A showing the behaviour during PMTU probing. > >(9b) >In the 17th paragraph of Section 7.2, perhaps "everytime" should be >replaced by "every time", according to the context. > >(10) References > >(10a) missing entry -- see (2a) above > >(10b) >There's a typo in your own URI [Ouch!] : > > [ICMP-Filtering] > Gont, F., "Filtering of ICMP error messages", http:// > www.gont.com.ar/papers/filtering-icmp-error-messages.pdf. >--- > [ICMP-Filtering] > Gont, F., "Filtering of ICMP error messages", http:// > www.gont.com.ar/papers/filtering-of-icmp-error-messages.pdf. > ^^^ >BTW: >... And in that memo, I found two small typos as well: > >(F1) First bullet on page 1: > "on of" --> "one of" > >(F2) First subordinate bullet of first bullet on page 2: > "intermmediate" --> "intermediate" > >(11) Appendix B > >(11a) >Repeated "far" <--> "for" ; missing punctuation > > maxsizeacked > Variable holding the largest packet size (data, plus headers) that >| has so for been acked far this connection, as explained in >| Section 7.2 >--- > maxsizeacked > Variable holding the largest packet size (data, plus headers) that >| has so far been acked for this connection, as explained in >| Section 7.2. > > maxsizesent > Variable holding the largest packet size (data, plus headers) that >| has so for been sent far this connection, as explained in >| Section 7.2 >--- > maxsizesent > Variable holding the largest packet size (data, plus headers) that >| has so far been sent for this connection, as explained in >| Section 7.2. > > nsegrto > Variable holding the number of times this segment has timed out, >| as explained in Section 7.2 >--- > nsegrto > Variable holding the number of times this segment has timed out, >| as explained in Section 7.2. > > packet_size >| Variable holding the size of the IP datagram being sent >--- > packet_size >| Variable holding the size of the IP datagram being sent. > >(11b) >In the pseudocode for > > EVENT: Segment is received > >correct > if (pending_mesage) >--- > if (pending_message) > >(11c) >The presentation of the pseudocode for > > EVENT: ICMP "Packet Too Big" message is received > >suffers from the deep nesting and varying use of braces. >[Note: That's perfectly o.k. from a syntax point of view (in 'C').] >I propose to streamline the presentation to enhance the readability, >by making it more compact and better show the structure of a single >case switch (exactly one of the code blocks is to be executed in >any case): > > if (claimedtcpseq < SND.UNA || claimed_TCP_SEQ >= SND.NXT){ > drop_message(); >| } >| >| else { >| if (claimedmtu >= maxsizesent || claimedmtu >= current_mtu) > drop_message(); >| >| else { >| if (claimedmtu > maxsizeacked){ > adjust_mtu(); > current_mtu = claimedmtu; > maxsizesent = MINIMUM_MTU; >| } >| >| else { > pending_message = 1; > save_message(); >| } >| } > } >--- >| if (claimedtcpseq < SND.UNA || claimed_TCP_SEQ >= SND.NXT) { >| drop_message(); >| } else if (claimedmtu >= maxsizesent || >| claimedmtu >= current_mtu) { >| drop_message(); >| } else if (claimedmtu > maxsizeacked) { >| adjust_mtu(); >| current_mtu = claimedmtu; >| maxsizesent = MINIMUM_MTU; >| } else { >| pending_message = 1; >| save_message(); >| } > >[ This time, I also have tagged the lines that only had their > indentation changed, because that's the visual clue intended; I have > removed the redundant braces of type else { if <statement> } , > but added (arguably redundant) braces around the second instance of > drop_message(); just for symmetry; the line break after '||' is > introduced only to accomodate for the line length restriction. ] > >(12) Appendix E > >(12a) >Apparently there is something wrong with E.1 and E.2 : > >E.1. Changes from draft-gont-tcpm-icmp-attacks-05 <---+ >E.2. Changes from draft-ietf-tcpm-icmp-attacks-00 <---+ >E.3. Changes from draft-gont-tcpm-icmp-attacks-04 >E.4. Changes from draft-gont-tcpm-icmp-attacks-03 >E.5. Changes from draft-gont-tcpm-icmp-attacks-02 >E.6. Changes from draft-gont-tcpm-icmp-attacks-01 >E.7. Changes from draft-gont-tcpm-icmp-attacks-00 > >Shouldn't the sequence of the subsections correspond to the history, >with the draft-ietf-*-00 being the latest, listed first? > >I do not know whether just the headlines are exchanged, or the full >sub-sections are misoredered. Please check. > >(12b) typo in current E.2 : > >| o Added an specific section on IPsec (Section 2.3) >--- >| o Added a specific section on IPsec (Section 2.3) > >(12b) garbage in E.6 : > >| o Added Section on Acknowledgement number checking"/> >--- >| o Added Section on Acknowledgement number checking > > >Best regards, > Alfred HÎnes. > >-- > >+------------------------+--------------------------------------------+ >| TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math., Dipl.-Phys. | >| Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax: -18 | >| D-71254 Ditzingen | E-Mail: ah@TR-Sys.de | >+------------------------+--------------------------------------------+ -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] Alfred Hoenes: draft-ietf-tcpm-icmp-attack… Fernando Gont
- [tcpm] Alfred Hoenes: draft-ietf-tcpm-icmp-attack… Fernando Gont