IETF Logo Mail Archive

Re: [tcpm] Congestion control in face of ICMP unreachable messages

Joe Touch <touch@ISI.EDU> Fri, 07 September 2007 14:13 UTC

Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITeaj-0006zi-Eh; Fri, 07 Sep 2007 10:13:49 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITeah-0006zR-Ix for tcpm@ietf.org; Fri, 07 Sep 2007 10:13:47 -0400
Received: from vapor.isi.edu ([128.9.64.64]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ITeag-0001bm-9t for tcpm@ietf.org; Fri, 07 Sep 2007 10:13:47 -0400
Received: from [127.0.0.1] ([128.9.176.75]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id l87EDUOt013139; Fri, 7 Sep 2007 07:13:31 -0700 (PDT)
Message-ID: <46E15C78.4080706@isi.edu>
Date: Fri, 07 Sep 2007 07:13:12 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Daniel Schaffrath <daniel.schaffrath@mac.com>
Subject: Re: [tcpm] Congestion control in face of ICMP unreachable messages
References: <8B61F72F-2F75-4388-976F-9748F8784AB3@mac.com> <46C5CFA1.3090603@isi.edu> <443EB15A-FBED-4325-AD04-CCC39E989DDE@mac.com>
In-Reply-To: <443EB15A-FBED-4325-AD04-CCC39E989DDE@mac.com>
X-Enigmail-Version: 0.95.3
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4b800b1eab964a31702fa68f1ff0e955
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0500528755=="
Errors-To: tcpm-bounces@ietf.org


Daniel Schaffrath wrote:
> 
> On 2007/08/17  , at 18:41, Joe Touch wrote:
> 
>> AFAIK, congestion control response to in-band messages (ACKs) and
>> timeouts (implied loss, as TCP interprets it), as well as to some new
>> fields (ECN, etc.) which are carried in the same packets.
>>
>> Reactions to external congestion signals - ICMP source quench (which has
>> been informally deprecated a while ago, but has not been documented as
>> such yet) or otherwise - would constitute another opportunity for a DOS
>> attack, and seem like a bad idea to encourage.
>
> I am note sure your security concerns really apply :) If the bad user
> controls the forwarding node, there is no need to rely on ICMP message
> to cause harm. Instead, just dropping random segments would do the job.
> If the bad user is off the forwarding node, she would need (as usual)
> guess port and sequence numbers. 

Only port numbers. Sequence numbers strictly don't matter for ICMPs.

> If she is able to guess right, she
> might as well opt to send forged ACK dupacks to cause harm, or for an
> ECN capable transport just one ECE marked ACK.

ICMPs don't need to come from the endpoint IP address, i.e., address
verification will prevent spoofed ACKs, but cannot prevent ICMPs, since
the latter need not have spoofed source addresses.

> Overall, it seems to me that there don't arise additional attack
> opportunities if there was congestion control on ICMP messages.

Basically the above; ICMPs don't need to have forged source addresses,
but in-band attacks do.

Joe

-- 
----------------------------------------------------------------------
Joe Touch                Sr. Network Engineer, USAF TSAT Space Segment
               Postel Center Director & Research Assoc. Prof., USC/ISI


_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email