Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks

Joe Touch <touch@ISI.EDU> Fri, 19 February 2010 18:16 UTC

Return-Path: <touch@ISI.EDU>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C855F28C128; Fri, 19 Feb 2010 10:16:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id X6pH+3VTV7Yw; Fri, 19 Feb 2010 10:16:02 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 010A13A7D1B; Fri, 19 Feb 2010 10:16:01 -0800 (PST)
Received: from [] ( []) (authenticated bits=0) by (8.13.8/8.13.8) with ESMTP id o1JIHM8G018859 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 19 Feb 2010 10:17:24 -0800 (PST)
Message-ID: <>
Date: Fri, 19 Feb 2010 10:17:22 -0800
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird (Windows/20090812)
MIME-Version: 1.0
To: Joe Touch <touch@ISI.EDU>
References: <> <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 0.96.0
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigE9BED059314080E9E34466A0"
X-MailScanner-ID: o1JIHM8G018859
X-ISI-4-69-MailScanner: Found to be clean
Cc:, Fernando Gont <>,
Subject: Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 19 Feb 2010 18:16:02 -0000

Joe Touch wrote:
> The full text is:
>    There are other mechanisms proposed to reduce the impact of ICMP
>    attacks by further validating ICMP contents and changing the effect
>    of some messages based on TCP state, but these do not provide the
>    level of authentication for ICMP that TCP-AO provides for TCP [Go09].
> It goes on to include SOME of the recommendations in this doc (but
> notably not others, even though widely deployed). Note that these latter
> changes were included because of *your* input *after* last call.

Also note that the changes are considered appropriate in the context of
connections protected by TCP-AO, which is intended to be more
conservative in what it accepts than TCP by design. They may or may not
be appropriate for TCP in general, or may be appropriate, e.g., only
during evidence of a repeated attack.