Re: [tcpm] Some comments on tcpsecure

Fernando Gont <fernando@gont.com.ar> Sat, 05 April 2008 20:24 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8545D3A6C85; Sat, 5 Apr 2008 13:24:53 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D13003A6C85 for <tcpm@core3.amsl.com>; Sat, 5 Apr 2008 13:24:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.908
X-Spam-Level:
X-Spam-Status: No, score=-0.908 tagged_above=-999 required=5 tests=[AWL=0.883, BAYES_00=-2.599, SARE_RECV_SPEEDY_AR=0.808]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NHCTT-jwnFaG for <tcpm@core3.amsl.com>; Sat, 5 Apr 2008 13:24:52 -0700 (PDT)
Received: from smtp1.xmundo.net (smtp1.xmundo.net [201.216.232.80]) by core3.amsl.com (Postfix) with ESMTP id A74033A6C0C for <tcpm@ietf.org>; Sat, 5 Apr 2008 13:24:50 -0700 (PDT)
Received: from venus.xmundo.net (venus.xmundo.net [201.216.232.56]) by smtp1.xmundo.net (Postfix) with ESMTP id 70C9C5A8A3A; Sat, 5 Apr 2008 17:25:01 -0300 (ART)
Received: from notebook.gont.com.ar (201-254-42-144.speedy.com.ar [201.254.42.144] (may be forged)) (authenticated bits=0) by venus.xmundo.net (8.13.8/8.13.8) with ESMTP id m35KOlmj018418; Sat, 5 Apr 2008 17:24:48 -0300
Message-Id: <200804052024.m35KOlmj018418@venus.xmundo.net>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Sat, 05 Apr 2008 17:15:41 -0300
To: Joe Touch <touch@ISI.EDU>
From: Fernando Gont <fernando@gont.com.ar>
In-Reply-To: <47F7B43E.6010004@isi.edu>
References: <200804041832.m34IWTC5025090@venus.xmundo.net> <47F68794.6050100@isi.edu> <200804042012.m34KCk8U022643@venus.xmundo.net> <47F68DC7.2050303@isi.edu> <200804050557.m355vAjU013266@venus.xmundo.net> <47F7B43E.6010004@isi.edu>
Mime-Version: 1.0
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (venus.xmundo.net [201.216.232.56]); Sat, 05 Apr 2008 17:25:00 -0300 (ART)
Cc: tcpm@ietf.org
Subject: Re: [tcpm] Some comments on tcpsecure
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

At 02:17 p.m. 05/04/2008, Joe Touch wrote:

>>>>And, for what is worth, strictly speaking there's no such a thing 
>>>>as a TCP MSL, either. TCP's MSL is based on the assumption that 
>>>>the IP TTL is decremented at least once every second. And this is 
>>>>not warranted, either. There's not such enforcement as there is 
>>>>in, e.g., Delta-t.
>>>
>>>If there's no MSL, then that's even more reason not to use window 
>>>information to determine the validity of an ICMP.
>>And no reason to use sequence numbers at all, and no reason for 
>>TCP's quiet time, and no reason for TCP's TIME-WAIT state, etc., 
>>etc., etc. From that purist (??) point of view, TCP would not even work at all.
>
>Absolutely - that's the absurdity of *your* point about there being 
>no such thing as MSL. However, MSL is irrelevant to ICMP even if 
>(contrary to your point above) MSL is meaningful to TCP.

The ICMP attacks drafts used to propose (unfortunately, right now it 
only "documents") a number of mitigation techniques for ICMP-based 
attacks. Among these were:

1) Require ICMP messages to be in window.
2) Don't reset connections in the synchronized (>ESTABLISHED) states 
upno receipt of the so-called ICMP hard errors.

You argument against (1) is that there's not such a timing 
requirement for ICMP messages. If that's your argument, then please 
also propose to remove any sequence number checks and any other 
assumptions on the MSL (e.g., quiet time concept, TIME-WAIT state) 
that are based on timing assumptions of TCP segments (and hence IP 
datagrams) that are *not* required in the protocols, *either*. Or 
well, that at least cannot be enforced. (Again, if you want this, you 
want something like Delta-t).

Your argument against (2) is that...mmm... that would be incorrect, 
because it would assume that every packet is an attack. But you do 
want to advocate ICMP filtering at firewalls.

I'd love to get everybody who's everyday job is to work on the TCP 
code of real TCP stacks. But while I have been in contact with many 
of these people (both for the I-Ds I published at the IETF, and for 
other work), the general idea is that it is a waste of time to argue 
for years what everybody has already been doing for years now (not to 
say 20+ years).

The only real discussion here is how irrelevant we want the IETF specs to be.

Kind regards,

--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1




_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm