Re: [tcpm] WG Last Call for ICMP Attacks

Joe Touch <touch@ISI.EDU> Tue, 08 September 2009 23:04 UTC

Return-Path: <touch@ISI.EDU>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 580933A683F for <tcpm@core3.amsl.com>; Tue, 8 Sep 2009 16:04:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ig5wgp8r61MC for <tcpm@core3.amsl.com>; Tue, 8 Sep 2009 16:04:36 -0700 (PDT)
Received: from nitro.isi.edu (nitro.isi.edu [128.9.208.207]) by core3.amsl.com (Postfix) with ESMTP id 025363A6AB0 for <tcpm@ietf.org>; Tue, 8 Sep 2009 16:04:35 -0700 (PDT)
Received: from [128.9.184.202] ([128.9.184.202]) (authenticated bits=0) by nitro.isi.edu (8.13.8/8.13.8) with ESMTP id n88N3eEp027540 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 8 Sep 2009 16:03:41 -0700 (PDT)
Message-ID: <4AA6E2CC.2000905@isi.edu>
Date: Tue, 08 Sep 2009 16:03:40 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Fernando Gont <fernando@gont.com.ar>
References: <F1534040-EA0D-44E4-98F7-67C24CD12CCF@windriver.com> <B01905DA0C7CDC478F42870679DF0F1005B64E383D@qtdenexmbm24.AD.QINTRA.COM> <4A9F4AB1.6070605@gont.com.ar>
In-Reply-To: <4A9F4AB1.6070605@gont.com.ar>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-MailScanner-ID: n88N3eEp027540
X-ISI-4-69-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: "Smith, Donald" <Donald.Smith@qwest.com>, 'tcpm Extensions WG' <tcpm@ietf.org>, 'David Borman' <david.borman@windriver.com>
Subject: Re: [tcpm] WG Last Call for ICMP Attacks
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Sep 2009 23:04:37 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Some additional feedback:

- --
2.1 indicates reasons why ICMPs are not reliable; it should include
reasons why ICMPs could be late - so late that, e.g., sequence numbers
aren't relevant.
- --
In Sec 4.1:
   It should be note that as there are no timeliness for ICMP error
   messages, the TCP Sequence Number check described in this section
   might cause legitimate ICMP error messages to be discarded

This should also note that it is also possible to end up acting on ICMPs
that are old even when such checks are in place, depending on the
lateness of the ICMP and the width of the valid sequence number window.
- --
top Page 13, space is missing:
   synchronized states (ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT,
   CLOSING, LAST-ACK or TIME-WAIT)as "soft errors".  That is, they do
                                  ^
- --
Section 8 would benefit from a summary of the different techniques used
(e.g., parameter checking to drop ICMPs, state checking to drop ICMPs,
etc.) and a description of how each basic technique affects the system -
i.e., they (in general) make the system more robust to deliberate
attacks, but could make the system react less rapidly to legitimate
network errors. This is a deliberate trade-off, and perhaps a reasonable
one, but worth noting, IMO.

Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqm4swACgkQE5f5cImnZrt64QCfYfRuDcVPdClVjcpIxSyWd9IL
Q54AoMzxa0pGftaA8YcIODNmoLeipC2a
=BQ+x
-----END PGP SIGNATURE-----