IETF Logo Mail Archive

Re: [tcpm] feedcback on tcp-secure-05: suggested text

Joe Touch <touch@ISI.EDU> Tue, 18 July 2006 21:09 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G2woZ-0007xV-Cv; Tue, 18 Jul 2006 17:09:11 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G2woY-0007tq-2T for tcpm@ietf.org; Tue, 18 Jul 2006 17:09:10 -0400
Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G2vqg-0002QA-No for tcpm@ietf.org; Tue, 18 Jul 2006 16:07:18 -0400
Received: from vapor.isi.edu ([128.9.64.64]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1G2viP-0004Lb-CS for tcpm@ietf.org; Tue, 18 Jul 2006 15:58:47 -0400
Received: from [128.9.168.63] (bet.isi.edu [128.9.168.63]) by vapor.isi.edu (8.11.6p2+0917/8.11.2) with ESMTP id k6IJvdH11005; Tue, 18 Jul 2006 12:57:39 -0700 (PDT)
Message-ID: <44BD3D2E.2070000@isi.edu>
Date: Tue, 18 Jul 2006 12:57:34 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
MIME-Version: 1.0
To: Ted Faber <faber@ISI.EDU>
Subject: Re: [tcpm] feedcback on tcp-secure-05: suggested text
References: <44B682AB.9010702@isi.edu> <7.0.1.0.0.20060715162015.085dce90@gont.com.ar> <44BB1965.9070305@isi.edu> <20060717180238.GE38453@hut.isi.edu> <20060718181852.GC50683@hut.isi.edu>
In-Reply-To: <20060718181852.GC50683@hut.isi.edu>
X-Enigmail-Version: 0.94.0.0
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
X-Spam-Score: -2.5 (--)
X-Scan-Signature: 4b800b1eab964a31702fa68f1ff0e955
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1766226964=="
Errors-To: tcpm-bounces@ietf.org


Ted Faber wrote:
> I've attached some text that I'd like to propose for the Security
> Considerations secition of this draft in an effort to make its scope
> clear and hopefully address some of Joe's concerns about ICMP.
> 
> This is just me, a participant, making the suggestion.
> 
> Text is attached.  Let me know what you think.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
> 
> Implementors should be aware that the attacks detailed in this
> specification are not the only attacks available to an off-path attacker
> and that the countermeasures described herein are not a comprehensive
> defense against such attacks.
> 
> In particular, administrators should be aware that forged ICMP messages
> provide off-path attackers the opportunity to disrupt connections or
> degrade service.  Such attacks may be subject to even less scrutiny than
> the TCP attacks addressed here, especially in stacks not tuned for
> hostile environments.  Section 6.1 of RFC4301 describes the issues
> associated with unauthenticated ICMP messages, e.g., messages from an
> off-path attacker, and is a good starting point for formulating a policy
> on those messages.

I'd say 6.1.1 is more relevant; 6.1 as a whole also addresses ICMPs from
inside protected boundaries, which is not applicable outside IPsec.

> In any case, this RFC details only part of a complete strategy to
> prevent off-path attackers from disrupting services that use TCP.
> Administrators and implementors should consider the other attack vectors
> and determine appropriate mitigations in securing their systems.

Modulo above, that looks fine to me.

Joe


_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email