Re: [tcpm] comments on draft-ietf-tcpm-icmp-attacks-05

Joe Touch <touch@ISI.EDU> Fri, 12 June 2009 20:45 UTC

Return-Path: <touch@ISI.EDU>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C35313A68EB for <>; Fri, 12 Jun 2009 13:45:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.775
X-Spam-Status: No, score=-1.775 tagged_above=-999 required=5 tests=[AWL=-0.824, BAYES_00=-2.599, FRT_TODAY2=1.648]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vSOddx2miDrT for <>; Fri, 12 Jun 2009 13:45:03 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E267D3A68BC for <>; Fri, 12 Jun 2009 13:45:03 -0700 (PDT)
Received: from [] ( []) by (8.13.8/8.13.8) with ESMTP id n5CKiwUJ029246; Fri, 12 Jun 2009 13:45:00 -0700 (PDT)
Message-ID: <>
Date: Fri, 12 Jun 2009 13:44:58 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird (Windows/20090302)
MIME-Version: 1.0
To: Fernando Gont <>
References: <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
Cc: "" <>, Fernando Gont <>
Subject: Re: [tcpm] comments on draft-ietf-tcpm-icmp-attacks-05
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 12 Jun 2009 20:45:04 -0000

Hash: SHA1

Fernando Gont wrote:
>> For
>> instance, I'm not certain that setting the DF bit is
>> only possible for hosts that support PMTUD ... is there
>> a reference for that?  
> What's the reason for setting the DF flag for IP packets carrying TCP
> segments if you don't implement PMTUD?

There are systems that just don't want to implement reassembly, due to
the cost and potential for the attack at the receiver of receiving large
numbers of partial packets. small devices do this to save
compute/storage space - the Sony CLIE was one of these a few years ago,
even though PMTUD was common even at the time.

> Actually, if you don't implement PMTUD, "frag needed" becomes a hard
> error. So setting the DF flag would be sort of dumb, as in the event one
> of your segments needs to be fragmented, you'd received an ICMP "frag
> needed" message, which would reset your connection.

That's what happened when running TCP from a CLIE over a tunnel. Not
desirable from the user's view, but definitely intended.

>> Further, it discusses ambiguity
>> in 1122, that we should be clarifying in the main text
>> rather than an appendix, I think ... what does the rest
>> of the WG think?

This doc should not be clarifying anything in 1122 - that, IMO, would be
for a standards-track doc, not an informational.

Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -