IETF Logo Mail Archive

Re: [tcpm] WG Last Call for ICMP Attacks

Fernando Gont <fernando@gont.com.ar> Thu, 03 September 2009 05:05 UTC

Return-Path: <fernando@gont.com.ar>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D8B643A684A for <tcpm@core3.amsl.com>; Wed, 2 Sep 2009 22:05:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.193
X-Spam-Level:
X-Spam-Status: No, score=-3.193 tagged_above=-999 required=5 tests=[AWL=0.406, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SHkO2BUNdhPK for <tcpm@core3.amsl.com>; Wed, 2 Sep 2009 22:05:41 -0700 (PDT)
Received: from smtp1.xmundo.net (smtp1.xmundo.net [201.216.232.80]) by core3.amsl.com (Postfix) with ESMTP id 0E08E3A688C for <tcpm@ietf.org>; Wed, 2 Sep 2009 22:05:40 -0700 (PDT)
Received: from venus.xmundo.net (venus.xmundo.net [201.216.232.56]) by smtp1.xmundo.net (Postfix) with ESMTP id 1AB8F6B677D; Thu, 3 Sep 2009 01:48:59 -0300 (ART)
Received: from [192.168.0.136] (129-130-17-190.fibertel.com.ar [190.17.130.129]) (authenticated bits=0) by venus.xmundo.net (8.14.1/8.14.1) with ESMTP id n834mcnq013315; Thu, 3 Sep 2009 01:48:39 -0300
Message-ID: <4A9F4AB1.6070605@gont.com.ar>
Date: Thu, 03 Sep 2009 01:48:49 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: "Smith, Donald" <Donald.Smith@qwest.com>
References: <F1534040-EA0D-44E4-98F7-67C24CD12CCF@windriver.com> <B01905DA0C7CDC478F42870679DF0F1005B64E383D@qtdenexmbm24.AD.QINTRA.COM>
In-Reply-To: <B01905DA0C7CDC478F42870679DF0F1005B64E383D@qtdenexmbm24.AD.QINTRA.COM>
X-Enigmail-Version: 0.95.7
OpenPGP: id=D076FFF1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (venus.xmundo.net [201.216.232.56]); Thu, 03 Sep 2009 01:48:58 -0300 (ART)
Cc: 'tcpm Extensions WG' <tcpm@ietf.org>, 'David Borman' <david.borman@windriver.com>
Subject: Re: [tcpm] WG Last Call for ICMP Attacks
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Sep 2009 05:05:43 -0000

Hello, Donald,

Thanks so much for your feedback! Comments inline.... (I have removed
those comments that I will apply and didn't need further clarification...)


Smith, Donald wrote:
> 1. ICMP [RFC0792] is a fundamental part of the TCP/IP protocol suite,
>  and is used mainly for reporting network error conditions.
> 
> ICMP is part of the IP protocol suite.

The protocol suite is referred to as "TCP/IP"...



> 2.2 Therefore, in the case of TCP, an attacker could send a forged
> ICMP message to the attacked system, and, as long as he is able to
> guess the four-tuple (i.e., Source IP Address, Source TCP port,
> Destination IP Address, and Destination TCP port) that identifies the
>  communication instance to be attacked, he will be able to use ICMP
> to perform a variety of attacks.
> 
> Forged usually implies that source ip address has been spoofed
> usually to come from some type of trusted host. Crafted is the term
[...]

I'll adopt the term/phrase you and Joe have converged to.



> 4.1 Many TCP implementations have incorporated a validation check so 
> makes TCP react only to those ICMP error messages elicited by 
> segments that were "in-flight" to the destination system.
> 
> Grammer and minor correction for elicited: Many TCP implementations
> have incorporated a validation check to make TCP react only to those
> ICMP error messages that appear to have been caused by segments that
> were "in-flight" to the destination system.

Does "elicited" sound bad? (english as a second language here, sorry)




> 5.2 Assuming that once a connection is established it is not usual
> for the transport protocol to change (or be reloaded), it should be
> unusual to get these error messages. Should be: Assuming that once a
> connection is established it is usual for the transport protocol to
> change (or be reloaded), it should be unusual to get these error 
> messages.
> 
> 
> ...(still 5.2)
> 
> ICMPv6 type 1 (Destination Unreachable), code 1 (communication with 
> destination administratively prohibited)
> 
> This error message indicates that the destination is unreachable 
> because of an administrative policy.  For connection-oriented 
> protocols such as TCP, one could expect to receive such an error as
> the result of a connection-establishment attempt.  Receiving such an
> error for a connection in any of the synchronized states would mean
> that the administrative policy changed during the life of the
> connection.  However, in the same way this error condition (which was
> not present when the conenction was established) appeared, it could
> get solved solved in the near term.
> 
> This actually does occur in some cases where bruteforce password
> attempts causes a tool such as fail2ban to block access. and
> connection not conenction.

Ok. Will add a note on this. If you have any proposed text, please let
me know.



> 7.1 The PMTUD mechanism for IPv4 uses the Don't Fragment (DF) bit in
> the IP header to dynamically discover the Path MTU.  The basic idea 
> behind the PMTUD mechanism is that a source system assumes that the 
> MTU of the path is that of the first hop, and sends all its datagrams
>  with the DF bit set.  If any of the datagrams is too large to be 
> forwarded without fragmentation by some intermediate router, the 
> router will discard the corresponding datagram, and will return an 
> ICMP "Destination Unreachable" (type 3) "fragmentation neeed and DF 
> set" (code 4) error message to the sending system.  This message will
>  report the MTU of the constricting hop, so that the sending system 
> can reduce the assumed Path-MTU accordingly.
> 
> Spelling and grammer: If any of the datagrams is too large -> If any
> of the datagrams are too large.

mmmm... aren't we meaning that "as long as *one* of them is too large"?



> As discussed in both [RFC1191] and [RFC1981], the Path-MTU Discovery 
> mechanism can be used to attack TCP.  An attacker could send a forged
>  ICMP "Destination Unreachable, fragmentation needed and DF set" 
> packet (or their ICMPv6 counterpart) to the sending system, 
> advertising a small Next-Hop MTU.  As a result, the attacked system 
> would reduce the size of the packets it sends for the corresponding 
> connection accordingly.
> 
> Again I would suggest crafted instead of forged.

Well, even with the discussion you provided about "forged" vs.
"crafted", the attacker does forge the IP/TCP packet contained in the
ICMP payload...

Thanks so much!

Kind regards,
-- 
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

v2.23.0 | Report a Bug | By Email