IETF Logo Mail Archive

Re: [tcpm] ICMP attacks draft (issue 1): hard errors -> soft errors (in synchronized states)

Ted Faber <faber@ISI.EDU> Fri, 30 September 2005 17:41 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELOsj-0006a7-Fp; Fri, 30 Sep 2005 13:41:13 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELOsi-0006a1-AS for tcpm@megatron.ietf.org; Fri, 30 Sep 2005 13:41:12 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA22502 for <tcpm@ietf.org>; Fri, 30 Sep 2005 13:41:11 -0400 (EDT)
Received: from boreas.isi.edu ([128.9.160.161]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ELP0c-00033R-FW for tcpm@ietf.org; Fri, 30 Sep 2005 13:49:22 -0400
Received: from pun.isi.edu (pun.isi.edu [128.9.160.150]) by boreas.isi.edu (8.11.6p2+0917/8.11.2) with ESMTP id j8UHeCL28525; Fri, 30 Sep 2005 10:40:12 -0700 (PDT)
Received: (from faber@localhost) by pun.isi.edu (8.13.4/8.13.4/Submit) id j8UHeCYd064030; Fri, 30 Sep 2005 10:40:12 -0700 (PDT) (envelope-from faber)
Date: Fri, 30 Sep 2005 10:40:12 -0700
From: Ted Faber <faber@ISI.EDU>
To: Fernando Gont <fernando@gont.com.ar>
Subject: Re: [tcpm] ICMP attacks draft (issue 1): hard errors -> soft errors (in synchronized states)
Message-ID: <20050930174011.GK999@pun.isi.edu>
References: <6.2.0.14.0.20050923075214.0428faa8@pop.frh.utn.edu.ar> <433411E2.3020005@isi.edu> <6.2.0.14.0.20050923125332.04320008@pop.frh.utn.edu.ar> <20050923165017.GD10959@pun.isi.edu> <6.2.0.14.0.20050927015438.07c2a418@pop.frh.utn.edu.ar>
Mime-Version: 1.0
In-Reply-To: <6.2.0.14.0.20050927015438.07c2a418@pop.frh.utn.edu.ar>
User-Agent: Mutt/1.4.2.1i
X-url: http://www.isi.edu/~faber
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: faber@pun.isi.edu
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c3a18ef96977fc9bcc21a621cbf1174b
Cc: tcpm@ietf.org, Joe Touch <touch@ISI.EDU>
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0093900955=="
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

On Tue, Sep 27, 2005 at 02:09:48AM -0300, Fernando Gont wrote:
> At 01:50 p.m. 23/09/2005, Ted Faber wrote:
> 
> >The point is that for whatever reason, all the host can do is send a
> >Protocol Not Supported ICMP, because the TCP stack will not be reached
> >(the postulate is that the host has stopped speaking either TCP or
> >IPv4).  Because the packet can't get to the TCP stack (which may not be
> >running at all), the host can't generate an RST.
> >
> >Of course, if no ICMP is generated or gets through, the ESTABLISHED TCP
> >will eventually have a UTO and abort the connection.
> >
> >Yes, this is a pretty bizarre case, but it is a valid hard error in an
> >ESTABLISHED state, and one where aborting the connection is the most
> >sensible thing to do.
> 
> So we would keep connections vulnerable to reset attacks for that 1 in 
> 1000000th chance in which this scenario might take place?

That's a decision for the community, of course.  But my opinion is that
you need to address the issue in the draft, not implicitly assume that
tradeoff is obvious.  Even if the community adopts it, it's wise to
indicate that we thought about it. 

> (And, btw, in the event that happened, why would ignoring the ICMP message 
> hurt you? For instance, the proposed policy does not prevent the 
> application layer from being notified of the received ICMP error message! 
> So this means you still let the application shoot itself, if it wants to! 
> :-) )

Hey, I generally believe that ignoring ICMP doesn't hurt you.  What's at
issue is whether responding to this ICMP can help you.  I believe that
the document asserts that once the connection is ESTABLISHED, this ICMP
is never a valid reason to terminate the connection.  Joe's described a
situation (that consists of many different possible causes) where
listening to that ICMP is perfectly reasonable.  An application's always
welcome to shoot itself from TCP's perspective.

> 
> Also, if there's consensus on the side of "not doing anything about this", 
> then my next question/comment would be "Does it make sense to modify TCP's 
> state transition diagram (as we currently are) to address TCP-based reset 
> attacks, then? An attacker will use ICMP-based ones, because they are much 
> easier to perform!"

If you've got questions about the motivations for and support of
tcpsecure, there's no need to be coy - no need to make such comments
conditionally.  :-) 

Right now, it sounds like the answer to your question is "yes, the WG
supports the tcp secure changes, independently of the changes proposed
here." 

-- 
Ted Faber
http://www.isi.edu/~faber           PGP: http://www.isi.edu/~faber/pubkeys.asc
Unexpected attachment on this mail? See http://www.isi.edu/~faber/FAQ.html#SIG

_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email