Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks

Joe Touch <touch@ISI.EDU> Fri, 19 February 2010 18:16 UTC

Return-Path: <touch@ISI.EDU>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C855F28C128; Fri, 19 Feb 2010 10:16:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Level:
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X6pH+3VTV7Yw; Fri, 19 Feb 2010 10:16:02 -0800 (PST)
Received: from nitro.isi.edu (nitro.isi.edu [128.9.208.207]) by core3.amsl.com (Postfix) with ESMTP id 010A13A7D1B; Fri, 19 Feb 2010 10:16:01 -0800 (PST)
Received: from [192.168.1.97] (pool-71-106-88-10.lsanca.dsl-w.verizon.net [71.106.88.10]) (authenticated bits=0) by nitro.isi.edu (8.13.8/8.13.8) with ESMTP id o1JIHM8G018859 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 19 Feb 2010 10:17:24 -0800 (PST)
Message-ID: <4B7ED5B2.7090200@isi.edu>
Date: Fri, 19 Feb 2010 10:17:22 -0800
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Joe Touch <touch@ISI.EDU>
References: <20100218175622.61BB028C2E3@core3.amsl.com> <2002D196-D83C-4B44-870C-8E9A94D2D640@nokia.com> <4B7D8B9F.1010608@piuha.net> <4B7D8F55.90406@piuha.net> <4B7D92EB.7010407@isi.edu> <4B7DE6B7.4080209@gont.com.ar> <4B7ECCA3.5000505@isi.edu>
In-Reply-To: <4B7ECCA3.5000505@isi.edu>
X-Enigmail-Version: 0.96.0
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigE9BED059314080E9E34466A0"
X-MailScanner-ID: o1JIHM8G018859
X-ISI-4-69-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org, Fernando Gont <fernando@gont.com.ar>, iesg@ietf.org
Subject: Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2010 18:16:02 -0000


Joe Touch wrote:
...
> The full text is:
> 
>    There are other mechanisms proposed to reduce the impact of ICMP
>    attacks by further validating ICMP contents and changing the effect
>    of some messages based on TCP state, but these do not provide the
>    level of authentication for ICMP that TCP-AO provides for TCP [Go09].
> 
> It goes on to include SOME of the recommendations in this doc (but
> notably not others, even though widely deployed). Note that these latter
> changes were included because of *your* input *after* last call.

Also note that the changes are considered appropriate in the context of
connections protected by TCP-AO, which is intended to be more
conservative in what it accepts than TCP by design. They may or may not
be appropriate for TCP in general, or may be appropriate, e.g., only
during evidence of a repeated attack.

Joe