RE: [tcpm] feedcback on tcp-secure-05
"Anantha Ramaiah \(ananth\)" <ananth@cisco.com> Mon, 17 July 2006 07:08 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G2NDa-00076T-UI; Mon, 17 Jul 2006 03:08:38 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G2NDY-00076O-Sf for tcpm@ietf.org; Mon, 17 Jul 2006 03:08:36 -0400
Received: from sj-iport-1-in.cisco.com ([171.71.176.70] helo=sj-iport-1.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G2NDX-0003TZ-H8 for tcpm@ietf.org; Mon, 17 Jul 2006 03:08:36 -0400
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-1.cisco.com with ESMTP; 17 Jul 2006 00:08:35 -0700
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-1.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k6H78Ycm014186; Mon, 17 Jul 2006 00:08:34 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id k6H78Y2D023991; Mon, 17 Jul 2006 00:08:34 -0700 (PDT)
Received: from xmb-sjc-21c.amer.cisco.com ([171.70.151.176]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Mon, 17 Jul 2006 00:08:34 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [tcpm] feedcback on tcp-secure-05
Date: Mon, 17 Jul 2006 00:08:32 -0700
Message-ID: <0C53DCFB700D144284A584F54711EC5801D95FC7@xmb-sjc-21c.amer.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] feedcback on tcp-secure-05
Thread-Index: AcapXYpPcCTJCmWoQ5iftiNRLCMTCAAB8VMw
From: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
To: Joe Touch <touch@ISI.EDU>, Fernando Gont <fernando@gont.com.ar>
X-OriginalArrivalTime: 17 Jul 2006 07:08:34.0299 (UTC) FILETIME=[D134A4B0:01C6A96F]
DKIM-Signature: a=rsa-sha1; q=dns; l=3424; t=1153120114; x=1153984114; c=relaxed/simple; s=sjdkim1002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=ananth@cisco.com; z=From:=22Anantha=20Ramaiah=20\(ananth\)=22=20<ananth@cisco.com> |Subject:RE=3A=20[tcpm]=20feedcback=20on=20tcp-secure-05; X=v=3Dcisco.com=3B=20h=3DCeksYhPTKiajql2H6p2yZiTQwso=3D; b=LGi5OILqjKYsUGJeirEt9LpMHzw4Z+y2WywQuf/J2GwfqZyn7rZQkZzUCEf5QsW+Rt2ncfYN umYUi8oRqRWiSo6xVZiPrZfmiG741clbkRvmWcUQitr5sWRc6isuzddU;
Authentication-Results: sj-dkim-1.cisco.com; header.From=ananth@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 3002fc2e661cd7f114cb6bae92fe88f1
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org
<snip> > >> > would be. Without such blocking, it's not clear what the > utility of > >> > this solution would be. > >> > >> Ok. > > > > I don't think tcpsecure should make any advice on what to > do with ICMP. > > > > Just make it clear that the introduced mechanisms do not prevent > > ICMP-based attacks against TCP, and provide a pointer to > > draft-ietf-tcpm-icmp-attacks-00.txt . > > > > If you are going to make any other statement on this issue, > state that > > the ICMP-based attacks are easier to perform, and thus should be > > mitigated (if not, it's ICMP that is the "weakest link in > the chain"). > > > > You could also add that, fortunately, virtually every > implementation > > has mitigated the ICMP attacks described in > > draft-ietf-tcpm-icmp-attacks-00.txt, by implementing most > (if not all) > > the counter-measures described in that draft. > > That last point doesn't obviate the issue that ICMP packets - > even validated by the mitigations in the draft above - are > still easier to spoof and can be spoofed by third parties > than any of the attacks in tcp-secure. > > I.e., they remain the weakest link, and worrying about > tcp-secure protections is nonsensical by comparison, UNLESS > ICMPs are entirely blocked. Actually I have to dis-agree to this. The tcp-secure is by no means an exhaustive list of attacks that can be performed on TCP layer. It's main focus is on providing robustness to some of the blind in-window attacks. Now we have a separate document which talks about the ICMP based attacks (draft-ietf-tcpm-icmp-attacks-xx.txt) and it's mitigation, so it would be better to just provide a reference to the same in tcp-secure and leave it at that. To make recommendations on to blocking ICMP is outside the scope of tcp-secure. Another point to note is that TCP SHOULD act (not a MUST) on ICMP reported hard errors. Also in some cases like "port unreachable" can be ignored since TCP uses the RST for the purpose of port unreachability. This is as per RFC 1122. - Some applications would chose to ignore the so called hard errors for a TCP connection. In other words the behaviour can be controlled by a CLI and the default would be to ignore this hard errors. So the connection reset wouldn't happen. - Some firewalls deliberately block ICMP messages rendering the attack useless. I guess my point is ICMP attacks may be a weakest link, but wouldn't cause connection resets with proper installed workarounds in place. Yes, I mean without voilating the current RFC's. Also with or without ICMP mitigations in place, one could still cause a TCP connection to RESET, if the mitigations described in tcp-secure isn't present. So the tcp-secure suggestions are useful with or without ICMP blocking/unblocking. But is it foolproof ? It isn't. Using MD5 makes the connection reset even harder, other tougher MAC's even harder. So all I am trying to derive is that, I agree with Fernando about tcp-secure shouldn't be making any recommendations on whether to block or unblock ICMP messages. I think these drafts are orthogonal to each other. But it would be ok to mention about the ICMP attacks in the security considerations of tcp-secure and provide a pointer to the same. -Anantha > > Joe > > > _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05 Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Ted Faber
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Mitesh Dalal (mdalal)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch
- Re: [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch