Re: [tcpm] Congestion control in face of ICMP unreachable messages
Joe Touch <touch@ISI.EDU> Fri, 07 September 2007 14:13 UTC
Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITeaj-0006zi-Eh; Fri, 07 Sep 2007 10:13:49 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITeah-0006zR-Ix for tcpm@ietf.org; Fri, 07 Sep 2007 10:13:47 -0400
Received: from vapor.isi.edu ([128.9.64.64]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ITeag-0001bm-9t for tcpm@ietf.org; Fri, 07 Sep 2007 10:13:47 -0400
Received: from [127.0.0.1] ([128.9.176.75]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id l87EDUOt013139; Fri, 7 Sep 2007 07:13:31 -0700 (PDT)
Message-ID: <46E15C78.4080706@isi.edu>
Date: Fri, 07 Sep 2007 07:13:12 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Daniel Schaffrath <daniel.schaffrath@mac.com>
Subject: Re: [tcpm] Congestion control in face of ICMP unreachable messages
References: <8B61F72F-2F75-4388-976F-9748F8784AB3@mac.com> <46C5CFA1.3090603@isi.edu> <443EB15A-FBED-4325-AD04-CCC39E989DDE@mac.com>
In-Reply-To: <443EB15A-FBED-4325-AD04-CCC39E989DDE@mac.com>
X-Enigmail-Version: 0.95.3
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4b800b1eab964a31702fa68f1ff0e955
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0500528755=="
Errors-To: tcpm-bounces@ietf.org
Daniel Schaffrath wrote: > > On 2007/08/17 , at 18:41, Joe Touch wrote: > >> AFAIK, congestion control response to in-band messages (ACKs) and >> timeouts (implied loss, as TCP interprets it), as well as to some new >> fields (ECN, etc.) which are carried in the same packets. >> >> Reactions to external congestion signals - ICMP source quench (which has >> been informally deprecated a while ago, but has not been documented as >> such yet) or otherwise - would constitute another opportunity for a DOS >> attack, and seem like a bad idea to encourage. > > I am note sure your security concerns really apply :) If the bad user > controls the forwarding node, there is no need to rely on ICMP message > to cause harm. Instead, just dropping random segments would do the job. > If the bad user is off the forwarding node, she would need (as usual) > guess port and sequence numbers. Only port numbers. Sequence numbers strictly don't matter for ICMPs. > If she is able to guess right, she > might as well opt to send forged ACK dupacks to cause harm, or for an > ECN capable transport just one ECE marked ACK. ICMPs don't need to come from the endpoint IP address, i.e., address verification will prevent spoofed ACKs, but cannot prevent ICMPs, since the latter need not have spoofed source addresses. > Overall, it seems to me that there don't arise additional attack > opportunities if there was congestion control on ICMP messages. Basically the above; ICMPs don't need to have forged source addresses, but in-band attacks do. Joe -- ---------------------------------------------------------------------- Joe Touch Sr. Network Engineer, USAF TSAT Space Segment Postel Center Director & Research Assoc. Prof., USC/ISI
_______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] Congestion control in face of ICMP unreach… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Ted Faber
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Ted Faber
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Ted Faber
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Daniel Schaffrath
- Re: [tcpm] Congestion control in face of ICMP unr… Joe Touch
- Re: [tcpm] Congestion control in face of ICMP unr… Ted Faber