Re: [tcpm] WG Last Call for ICMP Attacks

Joe Touch <touch@ISI.EDU> Tue, 08 September 2009 23:04 UTC

Return-Path: <touch@ISI.EDU>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 580933A683F for <>; Tue, 8 Sep 2009 16:04:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Ig5wgp8r61MC for <>; Tue, 8 Sep 2009 16:04:36 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 025363A6AB0 for <>; Tue, 8 Sep 2009 16:04:35 -0700 (PDT)
Received: from [] ([]) (authenticated bits=0) by (8.13.8/8.13.8) with ESMTP id n88N3eEp027540 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 8 Sep 2009 16:03:41 -0700 (PDT)
Message-ID: <>
Date: Tue, 08 Sep 2009 16:03:40 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird (Windows/20090812)
MIME-Version: 1.0
To: Fernando Gont <>
References: <> <B01905DA0C7CDC478F42870679DF0F1005B64E383D@qtdenexmbm24.AD.QINTRA.COM> <>
In-Reply-To: <>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-MailScanner-ID: n88N3eEp027540
X-ISI-4-69-MailScanner: Found to be clean
Cc: "Smith, Donald" <>, 'tcpm Extensions WG' <>, 'David Borman' <>
Subject: Re: [tcpm] WG Last Call for ICMP Attacks
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 08 Sep 2009 23:04:37 -0000

Hash: SHA1

Some additional feedback:

- --
2.1 indicates reasons why ICMPs are not reliable; it should include
reasons why ICMPs could be late - so late that, e.g., sequence numbers
aren't relevant.
- --
In Sec 4.1:
   It should be note that as there are no timeliness for ICMP error
   messages, the TCP Sequence Number check described in this section
   might cause legitimate ICMP error messages to be discarded

This should also note that it is also possible to end up acting on ICMPs
that are old even when such checks are in place, depending on the
lateness of the ICMP and the width of the valid sequence number window.
- --
top Page 13, space is missing:
   synchronized states (ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT,
   CLOSING, LAST-ACK or TIME-WAIT)as "soft errors".  That is, they do
- --
Section 8 would benefit from a summary of the different techniques used
(e.g., parameter checking to drop ICMPs, state checking to drop ICMPs,
etc.) and a description of how each basic technique affects the system -
i.e., they (in general) make the system more robust to deliberate
attacks, but could make the system react less rapidly to legitimate
network errors. This is a deliberate trade-off, and perhaps a reasonable
one, but worth noting, IMO.

Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -