Re: [tcpm] WG Last Call for ICMP Attacks

[Joe Touch <touch@ISI.EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Smith, Donald wrote:
> 1.
> ICMP [RFC0792] is a fundamental part of the TCP/IP protocol suite,
>    and is used mainly for reporting network error conditions.
> 
> ICMP is part of the IP protocol suite.
> 
> 2.2
> Therefore, in the case of TCP, an attacker could send a forged ICMP
>    message to the attacked system, and, as long as he is able to guess
>    the four-tuple (i.e., Source IP Address, Source TCP port, Destination
>    IP Address, and Destination TCP port) that identifies the
>    communication instance to be attacked, he will be able to use ICMP to
>    perform a variety of attacks.
> 
> Forged usually implies that source ip address has been spoofed usually to come from some type of trusted host.
> Crafted is the term generally used to mean the packets contents (not header) were modified.
> In this case there is no need to spoof the source ip address as the end host has no knowledge about the routers in between them and the end host system. So I recommend you change forged to crafted.

I've not heard that there was such clarity on the term forged or
crafted, but neither is the case here.

The attacker emits an ICMP message. It doesn't need a falsified header.
It doesn't need to be a "modified" packet. E.g., it can be created based
on information seen on the media.

It might just be called a "false ICMP message", i.e., it's reporting an
event that didn't happen.

Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqe3t0ACgkQE5f5cImnZrvj4QCeLodfjABk7/bGxLSU9wv4dV+N
0foAoJ5qPOCkzsS/w0kvpuOzJdChMcCb
=BJU2
-----END PGP SIGNATURE-----