IETF Logo Mail Archive

Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks

Joe Touch <touch@ISI.EDU> Fri, 19 February 2010 22:35 UTC

Return-Path: <touch@ISI.EDU>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 334A328C105 for <tcpm@core3.amsl.com>; Fri, 19 Feb 2010 14:35:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.506
X-Spam-Level:
X-Spam-Status: No, score=-2.506 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DJPLYKqKH4Ur for <tcpm@core3.amsl.com>; Fri, 19 Feb 2010 14:35:58 -0800 (PST)
Received: from nitro.isi.edu (nitro.isi.edu [128.9.208.207]) by core3.amsl.com (Postfix) with ESMTP id 5D17728C0DD for <tcpm@ietf.org>; Fri, 19 Feb 2010 14:35:58 -0800 (PST)
Received: from [192.168.1.97] (pool-71-106-88-10.lsanca.dsl-w.verizon.net [71.106.88.10]) (authenticated bits=0) by nitro.isi.edu (8.13.8/8.13.8) with ESMTP id o1JMa89E011021 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 19 Feb 2010 14:36:09 -0800 (PST)
Message-ID: <4B7F1258.5060301@isi.edu>
Date: Fri, 19 Feb 2010 14:36:08 -0800
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Fernando Gont <fernando@gont.com.ar>
References: <20100218175622.61BB028C2E3@core3.amsl.com> <2002D196-D83C-4B44-870C-8E9A94D2D640@nokia.com> <4B7D8B9F.1010608@piuha.net> <4B7D8F55.90406@piuha.net> <4B7ED18B.8070304@isi.edu> <4B7F0F37.7010502@gont.com.ar>
In-Reply-To: <4B7F0F37.7010502@gont.com.ar>
X-Enigmail-Version: 0.96.0
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="------------enig8F4FD46CDEC58C34F572EC1D"
X-MailScanner-ID: o1JMa89E011021
X-ISI-4-69-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org
Subject: Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2010 22:35:59 -0000


Fernando Gont wrote:
> Joe Touch wrote:
> 
>> Much of this "rush to react" has led to a perspective that any incoming
>> packet that isn't expected is an indication of *attack*. That could
>> easily lead to changes to TCP that make it inappropriately complex and
>> fragile, at the expense of protecting every home computer from attacks
>> that are typically waged only at routers or other core network components.
> 
> Joe, your statement (At least wrt icmp attacks) has no correlation with
> reality.
> 
> ICMP reset attacks have been pretty usual since the 90's as IRC nuke
> attacks. i.e., they have been performed mostly against end users, rather
> than "core network components". Google for "irc nuke", or the like, and
> I'm sure you'll find 10+ years old icmp exploits.

Useful to include in your doc. Not cited, I note.

Yours is not the only document you have accused me of impeding. It would
be useful to reconsider my post in the context of the totality of work
it addresses (including the comment about being involved in deployment).

>> I agree with Wes that the role of ICMP in the Internet needs to be
>> re-examined, and some changes made. However, I also believe that many of
>> the current TCPM "rush to react" changes (including tcpsecure, some of
>> the ICMP checks, some parts of the TCP cookie transactions proposal) are
>> a poor substitute for the use of true security (IPsec, TCP-AO), 
> 
> They are not a substitute. And the recent support by Ran Atkinson
> (co-author of previous versions of the IPsec std) should be a good hint.
> See: http://www.ietf.org/mail-archive/web/ietf/current/msg60159.html

Note that he supports this as offered - Informational.

>> which
>> may also need to include more widely-deployable variants with different
>> levels of protection (e.g., BTNS).
> 
> Side note: I wonder what would be the result if you submitted BTNS to
> the same level of "correctness evaluation" as you have submitted this I-D...
> (Maybe the "BTNS" acronym is an implicit acknowledgement of that?)

BTNS doesn't redefine the core, *non-secure* TCP service for everyone.

Joe

v2.23.0 | Report a Bug | By Email