IETF Logo Mail Archive

Re: [tcpm] comments on draft-gont-tcpm-icmp-attacks-05

Joe Touch <touch@ISI.EDU> Tue, 08 November 2005 04:49 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EZLQS-0005xF-T8; Mon, 07 Nov 2005 23:49:40 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EZLQQ-0005v5-Mw for tcpm@megatron.ietf.org; Mon, 07 Nov 2005 23:49:39 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA10007 for <tcpm@ietf.org>; Mon, 7 Nov 2005 23:49:13 -0500 (EST)
Received: from boreas.isi.edu ([128.9.160.161]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EZLgA-0006wc-Mv for tcpm@ietf.org; Tue, 08 Nov 2005 00:05:55 -0500
Received: from [209.52.104.180] (pp104-180.bctel.ca [209.52.104.180]) by boreas.isi.edu (8.11.6p2+0917/8.11.2) with ESMTP id jA84cAM01194; Mon, 7 Nov 2005 20:38:10 -0800 (PST)
Message-ID: <43702BB2.4000407@isi.edu>
Date: Mon, 07 Nov 2005 20:38:10 -0800
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 1.4.1 (Windows/20051006)
MIME-Version: 1.0
To: Fernando Gont <fernando@gont.com.ar>
Subject: Re: [tcpm] comments on draft-gont-tcpm-icmp-attacks-05
References: <Pine.LNX.4.64.0511060458230.18026@netcore.fi> <436E7ABE.1000004@isi.edu> <6.2.0.14.0.20051106160757.0432ea98@localhost> <436F7C08.9020104@isi.edu> <6.2.0.14.0.20051107151117.01f2b558@localhost>
In-Reply-To: <6.2.0.14.0.20051107151117.01f2b558@localhost>
X-Enigmail-Version: 0.93.0.0
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
X-Spam-Score: 0.1 (/)
X-Scan-Signature: b22590c27682ace61775ee7b453b40d3
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0621962511=="
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org


Fernando Gont wrote:
> At 08:08 a.m. 07/11/2005, Joe Touch wrote:
> 
>> >> and tone
>> >> of the argument changed as well. These are not - and cannot be put
>> forth
>> >> as - security issues.
>> >
>> > I disagree. The draft explains how an attacker can take advantage of
>> the
>> > described vulnerabilities. And, indeed, the ICMP-based connection-reset
>> > attack is much more trivial to perform than its TCP-based counterpart.
>>
>> It does NOT address the substantial vulnerabilities that remain, or the
> 
> You mean man in the middle attacks, or what?

Yes.

>> effect of interpreting all invalid exchanges as attacks (which I feel is
>> both overkill and inappropriate).
> 
> You implement the proposed mechanisms as counter-measures for ICMP-based
> attacks. In the event some packet is not part of an attack, the
> counter-measures will not hurt you, anyway, because ICMP is unreliable.

We've been over this one before; you make the system less functional by
dismissing correct ICMPs that end up reaching you.

>> >> We can talk about them being useful in how they mitigate the effect of
>> >> stale packets, and then - as a corellary - how some attacks emulate
>> >> stale packets.
>> >
>> > This could be true for the TCP sequence number check. But none of the
>> > attack-specific counter-measures have anything to do with stale
>> packets.
>> > If anything, they have to do with checking progress on the connection.
>>
>> Which is another kind of validity, but one that assumes that a
>> connection making progress should not also incur these kinds of signals.
>> I've described cases where non-malicious systems can behave this way.
> 
> Yes. And what is the problem if an ICMP message does not pass the
> proposed checks, not because it's part of an attack, but because it was
> caused by a stale TCP segment or whatever?

Stale is OK. The cases I'm talking about are TCP connections making
progress over multipath routing where one path is flakey and sends
ICMPs. That's not stale.

>> > If you just mitigate stale packets, you are still vulnerable to
>> > in-window attacks. The draft solves in-window attacks, which, as a
>> > corellary, solves the case of stale packets.
>>
>> It doesn't identify attacks; it (over)interprets certain behaviors as
>> attacks.
> 
> From the receiver's point of view, you cannot tell the difference.
> That's why, given the current hostile environments, it's fair to think
> bad guys may be behind these packets.

So why aren't ALL packets considered an attack in such an environment?

Yes, it's fair to think that bad guys MAY be behind the packets, but
only if you also think that good guys MAY as well. I consider it
dangerous to consider correct behavior as an attack.

>> I agree that making progress might be a reason to change the current
>> behavior of TCP/ICMP because TCP is making progress and the ICMPs can be
>> considered irrelevent - NOT AN ATTACK.
> 
> The draft does not mean that . It just means that we will implement a
> set of mechanisms that in the presence of blind ICMP-based attacks, it
> will protect us from them. It does not aim to guess whether the packet
> correspond to an attack, or not.

Yes it does; it guesses that any unexpected ICMP _is_ an attack that
should thus be ignored.

...
>> If you shut all in-window attacks, you've disabled a functioning
>> feature.
> 
> A feature you cannot depend on?

A feature that works for legitimate hosts. Short of doing
authentication, you can't "depend" on any packet.

Joe


_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email