Re: [tcpm] Some comments on tcpsecure
Fernando Gont <fernando@gont.com.ar> Sat, 05 April 2008 06:07 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 79D0E3A67FF; Fri, 4 Apr 2008 23:07:22 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8C8763A688F for <tcpm@core3.amsl.com>; Fri, 4 Apr 2008 23:07:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.687
X-Spam-Level:
X-Spam-Status: No, score=-0.687 tagged_above=-999 required=5 tests=[AWL=1.104, BAYES_00=-2.599, SARE_RECV_SPEEDY_AR=0.808]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SgOqYF5lmgld for <tcpm@core3.amsl.com>; Fri, 4 Apr 2008 23:07:20 -0700 (PDT)
Received: from smtp1.xmundo.net (smtp1.xmundo.net [201.216.232.80]) by core3.amsl.com (Postfix) with ESMTP id 53E983A67A4 for <tcpm@ietf.org>; Fri, 4 Apr 2008 23:07:19 -0700 (PDT)
Received: from venus.xmundo.net (venus.xmundo.net [201.216.232.56]) by smtp1.xmundo.net (Postfix) with ESMTP id AEF885A745D; Sat, 5 Apr 2008 03:07:32 -0300 (ART)
Received: from notebook.gont.com.ar (201-254-42-144.speedy.com.ar [201.254.42.144] (may be forged)) (authenticated bits=0) by venus.xmundo.net (8.13.8/8.13.8) with ESMTP id m35679ER022947; Sat, 5 Apr 2008 03:07:11 -0300
Message-Id: <200804050607.m35679ER022947@venus.xmundo.net>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Sat, 05 Apr 2008 03:04:58 -0300
To: "Anantha Ramaiah (ananth)" <ananth@cisco.com>, tcpm@ietf.org
From: Fernando Gont <fernando@gont.com.ar>
In-Reply-To: <0C53DCFB700D144284A584F54711EC5804F48EC2@xmb-sjc-21c.amer. cisco.com>
References: <200804041832.m34IWTC5025090@venus.xmundo.net> <0C53DCFB700D144284A584F54711EC5804F48EC2@xmb-sjc-21c.amer.cisco.com>
Mime-Version: 1.0
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (venus.xmundo.net [201.216.232.56]); Sat, 05 Apr 2008 03:07:32 -0300 (ART)
Subject: Re: [tcpm] Some comments on tcpsecure
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
At 06:34 p.m. 04/04/2008, Anantha Ramaiah (ananth) wrote: > > The first one is the ICMP attacks draft > > (draft-ietf-tcpm-icmp-attacks). While tcpsecure mentions the > > security implications of ICMP on TCP conenctions, it does not > > reference the I-D. IIRC, this had already been pointed out by > >Well, if this was really needed we should have fixed this in the >document by now. I think at this stage where most of the issues have >been ironed out, I would excerxise caution before making any changes. >With that I mean if the group strongly feels about citing this reference >then we could add it in some place. There's no actual "change". Just mention that the ICMP issues, and reference the ICMP attacks draft for information on the problem, and what the industry has done about it. > > Joe (?). As far as the specifications are concerned, you > > shouldn't bother to fix TCP-based reset attacks if you don't > > fix the the ICMP-based ones. > >I am not saying we shouldn't be fixing ICMP based attacks, we should fix >both, but these are separate documents and needs to be treated >seperately. Exactly. Don't get into recommendations on the ICMP issues. Just direct people to the document where this stuff is discussed. >I can only agree that randomization makes the attack harder to >accomplish, but like you noted many systems don't do it today. Nowadays, at least FreeBSD, OpenBSD and Linux do it. >Like for >example if you use TCP MD5 the attacks are difficult to be made... So >wondering what is the point being made here? Are you saying that we >should put a reference to the port randomization document? Yes. Something along the lines of "TCP port randomization [draft-ietf-port-randomization] increases the amount of work on the side of the attacker by obfuscating the TCP ephemeral port value" To make my point clear: I'm not saying you should make "statements" on whether host should or should implement "icmp attacks" or "port randomization". But you should note that the ICMP attacks are easier, and direct people to the icmp attacks draft for more information about this. And you should note that port randomization is a general mitigation-technique for off-path attacks against TCP that require more work on the side of the attacker to successfully perform such attacks. Kind regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- [tcpm] ICMP error origination timeliness Pekka Savola
- Re: [tcpm] ICMP error origination timeliness Joe Touch
- Re: [tcpm] ICMP error origination timeliness Anantha Ramaiah (ananth)
- Re: [tcpm] ICMP error origination timeliness Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)