Re: [tcpm] Some comments on tcpsecure
Fernando Gont <fernando@gont.com.ar> Sat, 05 April 2008 20:24 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8545D3A6C85; Sat, 5 Apr 2008 13:24:53 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D13003A6C85 for <tcpm@core3.amsl.com>; Sat, 5 Apr 2008 13:24:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.908
X-Spam-Level:
X-Spam-Status: No, score=-0.908 tagged_above=-999 required=5 tests=[AWL=0.883, BAYES_00=-2.599, SARE_RECV_SPEEDY_AR=0.808]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NHCTT-jwnFaG for <tcpm@core3.amsl.com>; Sat, 5 Apr 2008 13:24:52 -0700 (PDT)
Received: from smtp1.xmundo.net (smtp1.xmundo.net [201.216.232.80]) by core3.amsl.com (Postfix) with ESMTP id A74033A6C0C for <tcpm@ietf.org>; Sat, 5 Apr 2008 13:24:50 -0700 (PDT)
Received: from venus.xmundo.net (venus.xmundo.net [201.216.232.56]) by smtp1.xmundo.net (Postfix) with ESMTP id 70C9C5A8A3A; Sat, 5 Apr 2008 17:25:01 -0300 (ART)
Received: from notebook.gont.com.ar (201-254-42-144.speedy.com.ar [201.254.42.144] (may be forged)) (authenticated bits=0) by venus.xmundo.net (8.13.8/8.13.8) with ESMTP id m35KOlmj018418; Sat, 5 Apr 2008 17:24:48 -0300
Message-Id: <200804052024.m35KOlmj018418@venus.xmundo.net>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Sat, 05 Apr 2008 17:15:41 -0300
To: Joe Touch <touch@ISI.EDU>
From: Fernando Gont <fernando@gont.com.ar>
In-Reply-To: <47F7B43E.6010004@isi.edu>
References: <200804041832.m34IWTC5025090@venus.xmundo.net> <47F68794.6050100@isi.edu> <200804042012.m34KCk8U022643@venus.xmundo.net> <47F68DC7.2050303@isi.edu> <200804050557.m355vAjU013266@venus.xmundo.net> <47F7B43E.6010004@isi.edu>
Mime-Version: 1.0
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (venus.xmundo.net [201.216.232.56]); Sat, 05 Apr 2008 17:25:00 -0300 (ART)
Cc: tcpm@ietf.org
Subject: Re: [tcpm] Some comments on tcpsecure
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
At 02:17 p.m. 05/04/2008, Joe Touch wrote: >>>>And, for what is worth, strictly speaking there's no such a thing >>>>as a TCP MSL, either. TCP's MSL is based on the assumption that >>>>the IP TTL is decremented at least once every second. And this is >>>>not warranted, either. There's not such enforcement as there is >>>>in, e.g., Delta-t. >>> >>>If there's no MSL, then that's even more reason not to use window >>>information to determine the validity of an ICMP. >>And no reason to use sequence numbers at all, and no reason for >>TCP's quiet time, and no reason for TCP's TIME-WAIT state, etc., >>etc., etc. From that purist (??) point of view, TCP would not even work at all. > >Absolutely - that's the absurdity of *your* point about there being >no such thing as MSL. However, MSL is irrelevant to ICMP even if >(contrary to your point above) MSL is meaningful to TCP. The ICMP attacks drafts used to propose (unfortunately, right now it only "documents") a number of mitigation techniques for ICMP-based attacks. Among these were: 1) Require ICMP messages to be in window. 2) Don't reset connections in the synchronized (>ESTABLISHED) states upno receipt of the so-called ICMP hard errors. You argument against (1) is that there's not such a timing requirement for ICMP messages. If that's your argument, then please also propose to remove any sequence number checks and any other assumptions on the MSL (e.g., quiet time concept, TIME-WAIT state) that are based on timing assumptions of TCP segments (and hence IP datagrams) that are *not* required in the protocols, *either*. Or well, that at least cannot be enforced. (Again, if you want this, you want something like Delta-t). Your argument against (2) is that...mmm... that would be incorrect, because it would assume that every packet is an attack. But you do want to advocate ICMP filtering at firewalls. I'd love to get everybody who's everyday job is to work on the TCP code of real TCP stacks. But while I have been in contact with many of these people (both for the I-Ds I published at the IETF, and for other work), the general idea is that it is a waste of time to argue for years what everybody has already been doing for years now (not to say 20+ years). The only real discussion here is how irrelevant we want the IETF specs to be. Kind regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- [tcpm] ICMP error origination timeliness Pekka Savola
- Re: [tcpm] ICMP error origination timeliness Joe Touch
- Re: [tcpm] ICMP error origination timeliness Anantha Ramaiah (ananth)
- Re: [tcpm] ICMP error origination timeliness Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)