Re: [tcpm] Congestion control in face of ICMP unreachable messages
Joe Touch <touch@ISI.EDU> Fri, 14 September 2007 06:30 UTC
Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IW4hX-00059Y-GL; Fri, 14 Sep 2007 02:30:51 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IW4hW-00059S-0V for tcpm@ietf.org; Fri, 14 Sep 2007 02:30:50 -0400
Received: from vapor.isi.edu ([128.9.64.64]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IW4hV-0001tA-Al for tcpm@ietf.org; Fri, 14 Sep 2007 02:30:49 -0400
Received: from [127.0.0.1] (pool-71-106-89-188.lsanca.dsl-w.verizon.net [71.106.89.188]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id l8E6UbLJ014141; Thu, 13 Sep 2007 23:30:38 -0700 (PDT)
Message-ID: <46EA2A76.8040308@isi.edu>
Date: Thu, 13 Sep 2007 23:30:14 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Daniel Schaffrath <daniel.schaffrath@mac.com>
Subject: Re: [tcpm] Congestion control in face of ICMP unreachable messages
References: <8B61F72F-2F75-4388-976F-9748F8784AB3@mac.com> <46C5CFA1.3090603@isi.edu> <443EB15A-FBED-4325-AD04-CCC39E989DDE@mac.com> <46E15C78.4080706@isi.edu> <15CFCCD8-0CDD-4033-9B83-7C42AEEDD88A@mac.com> <46E8A7FE.6000404@isi.edu> <B1B22035-0766-403A-A4A7-C3147C38C3ED@mac.com>
In-Reply-To: <B1B22035-0766-403A-A4A7-C3147C38C3ED@mac.com>
X-Enigmail-Version: 0.95.3
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8fbbaa16f9fd29df280814cb95ae2290
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0552746677=="
Errors-To: tcpm-bounces@ietf.org
Daniel Schaffrath wrote: ... >> The basic summary: >> - the network is under no obligation to respond with ICMPs within one RTT > That's a very valuable hint! And gives motivation why RFC 1122 after the > receipt of an ICMP (host/net) unreachable message only requests to flag > a "soft error" to the application allows continuing sending (simply > because the issue about the unreachability might have changed in the > meantime...) Correct? Basically. It's an indication that a packet hit a roadblock, but not that the roadblock is essentially permanent. That happens only at the destination (i.e., if the destination is gone, then game's over). > Are there any other boundaries as RTT for ICMPs? None per se. > Anyway, how come that > there is the possibility of late ICMPs? Routers respond with ICMPs only when they have cycles - otherwise, they could go into overload giving feedback. That's in RFC1812. >> - as a result, checking to ensure that ICMPs are in-window is incorrect >> as it will drop legitimate responses - or worse, interpret them as >> attacks >> >> The fact that an I-D remains on this point and that Linux implements it >> does not change the above. > And how come that there is an I-D on dropping legitimate responses from > the network? > > Maybe one mitigation might be to relax the window check to accept a few > older windows and not just the current one, thereby allowing proper > handling of "late" ICMPs, but still filtering some malicious ICMPs . But > as this is so obvious is has probably some (hidden) shortcoming (which I > can't think of at the moment). Once the window wraps all windows look the same. At that point, there's nothing useful to check. >>>>> If she is able to guess right, she >>>>> might as well opt to send forged ACK dupacks to cause harm, or for an >>>>> ECN capable transport just one ECE marked ACK. >>>> >>>> ICMPs don't need to come from the endpoint IP address, i.e., address >>>> verification will prevent spoofed ACKs, but cannot prevent ICMPs, since >>>> the latter need not have spoofed source addresses. >>> >>> Ok, but if a router is (potentially) able to check for spoofed IP source >>> addresses it could as well check for spoofed/illegal ICMP payloads >>> (which contain both IP addresses) . Isn't that true? >> >> Routers can check for spoofed addresses as they enter protected regions >> of the Internet; if there's a hole in that 'fence' however, packets can >> leak in. Once in, they can't necessarily be checked for spoofed >> addresses unless they're authenticated, and most are not. > But, again: isn't it true that if and only if for a given datagram a > router is able to decide whether the source address of that datagram is > spoofed, then that router could also decide (if that datagram contained > an ICMP unreachable message) whether the source IP in the ICMP payload > is spoofed or not (and act accordingly, i.e., drop it or not). Not true. IP addresses are checked two ways - with explicit authentication (which we're not talking about; that involves IPsec, e.g.) or by verifying which port they arrive on (and which router they arrive from). Let's focus on that second part. Let's say that IP address X must come in on port 3 from router Q. ICMPs that report IP address X incorrect can come in on any port, from any router. There's no rule that ICMPs must be routed the same way as the IP packets they report on. The ICMP has a different source IP address, so it could easily be routed via other paths. > So, > overall there don't arise additional attack opportunities when there was > some (to be defined) congestion control in face of ICMP (host/net) > unreachable messages (which was my original claim). I think there do, because of the above... Joe -- ---------------------------------------------------------------------- Joe Touch Sr. Network Engineer, USAF TSAT Space Segment Postel Center Director & Research Assoc. Prof., USC/ISI
_______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] Congestion control in face of ICMP unreach… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Ted Faber
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Ted Faber
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Ted Faber
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Ted Faber