Re: [tcpm] WG Last Call for ICMP Attacks

> -----Original Message-----
> From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On Behalf
Of
> Fernando Gont
> Sent: 03 September 2009 05:49
> To: Smith, Donald
> Cc: 'tcpm Extensions WG'; 'David Borman'
> Subject: Re: [tcpm] WG Last Call for ICMP Attacks
> 
> Hello, Donald,
> 
> Thanks so much for your feedback! Comments inline.... (I have removed
> those comments that I will apply and didn't need further
> clarification...)
> 
> 
> Smith, Donald wrote:
> > 1. ICMP [RFC0792] is a fundamental part of the TCP/IP protocol
suite,
> >  and is used mainly for reporting network error conditions.
> >
> > ICMP is part of the IP protocol suite.
> 
> The protocol suite is referred to as "TCP/IP"...
> 
> 
> 
> > 2.2 Therefore, in the case of TCP, an attacker could send a forged
> > ICMP message to the attacked system, and, as long as he is able to
> > guess the four-tuple (i.e., Source IP Address, Source TCP port,
> > Destination IP Address, and Destination TCP port) that identifies
the
> >  communication instance to be attacked, he will be able to use ICMP
> > to perform a variety of attacks.
> >
> > Forged usually implies that source ip address has been spoofed
> > usually to come from some type of trusted host. Crafted is the term
> [...]
> 
> I'll adopt the term/phrase you and Joe have converged to.
> 
> 
> 
> > 4.1 Many TCP implementations have incorporated a validation check so
> > makes TCP react only to those ICMP error messages elicited by
> > segments that were "in-flight" to the destination system.
> >
> > Grammer and minor correction for elicited: Many TCP implementations
> > have incorporated a validation check to make TCP react only to those
> > ICMP error messages that appear to have been caused by segments that
> > were "in-flight" to the destination system.
> 
> Does "elicited" sound bad? (english as a second language here, sorry)
> 

"elicited" implies that the packet specifically sought the ICMP packet
to be sent (which I guess would indeed be the case in tcptraceroute)
whereas the alternate wording is trying to make it clear that the ICMP
packet wasn't the desired response in the first place. Not sure how
clear my explanation actually is! 

Possible alternative wording: "Many TCP implementations have
incorporated a validation check such that they only react to those ICMP
messages that appear to relate to segments currently "in-flight" to the
destination system."

> 
> 
> 
> > 5.2 Assuming that once a connection is established it is not usual
> > for the transport protocol to change (or be reloaded), it should be
> > unusual to get these error messages. Should be: Assuming that once a
> > connection is established it is usual for the transport protocol to
> > change (or be reloaded), it should be unusual to get these error
> > messages.
> >
> >
> > ...(still 5.2)
> >
> > ICMPv6 type 1 (Destination Unreachable), code 1 (communication with
> > destination administratively prohibited)
> >
> > This error message indicates that the destination is unreachable
> > because of an administrative policy.  For connection-oriented
> > protocols such as TCP, one could expect to receive such an error as
> > the result of a connection-establishment attempt.  Receiving such an
> > error for a connection in any of the synchronized states would mean
> > that the administrative policy changed during the life of the
> > connection.  However, in the same way this error condition (which
was
> > not present when the conenction was established) appeared, it could
> > get solved solved in the near term.
> >
> > This actually does occur in some cases where bruteforce password
> > attempts causes a tool such as fail2ban to block access. and
> > connection not conenction.
> 
> Ok. Will add a note on this. If you have any proposed text, please let
> me know.
> 
> 
> 
> > 7.1 The PMTUD mechanism for IPv4 uses the Don't Fragment (DF) bit in
> > the IP header to dynamically discover the Path MTU.  The basic idea
> > behind the PMTUD mechanism is that a source system assumes that the
> > MTU of the path is that of the first hop, and sends all its
datagrams
> >  with the DF bit set.  If any of the datagrams is too large to be
> > forwarded without fragmentation by some intermediate router, the
> > router will discard the corresponding datagram, and will return an
> > ICMP "Destination Unreachable" (type 3) "fragmentation neeed and DF
> > set" (code 4) error message to the sending system.  This message
will
> >  report the MTU of the constricting hop, so that the sending system
> > can reduce the assumed Path-MTU accordingly.
> >
> > Spelling and grammer: If any of the datagrams is too large -> If any
> > of the datagrams are too large.
> 
> mmmm... aren't we meaning that "as long as *one* of them is too
large"?
> 
> 
> 
> > As discussed in both [RFC1191] and [RFC1981], the Path-MTU Discovery
> > mechanism can be used to attack TCP.  An attacker could send a
forged
> >  ICMP "Destination Unreachable, fragmentation needed and DF set"
> > packet (or their ICMPv6 counterpart) to the sending system,
> > advertising a small Next-Hop MTU.  As a result, the attacked system
> > would reduce the size of the packets it sends for the corresponding
> > connection accordingly.
> >
> > Again I would suggest crafted instead of forged.
> 
> Well, even with the discussion you provided about "forged" vs.
> "crafted", the attacker does forge the IP/TCP packet contained in the
> ICMP payload...
> 
> Thanks so much!
> 
> Kind regards,
> --
> Fernando Gont
> e-mail: fernando@gont.com.ar || fgont@acm.org
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
> 
> 
> 
> 
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm