Re: [tcpm] WG Last Call for ICMP Attacks
Fernando Gont <fernando@gont.com.ar> Thu, 03 September 2009 05:05 UTC
Return-Path: <fernando@gont.com.ar>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D8B643A684A for <tcpm@core3.amsl.com>; Wed, 2 Sep 2009 22:05:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.193
X-Spam-Level:
X-Spam-Status: No, score=-3.193 tagged_above=-999 required=5 tests=[AWL=0.406, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SHkO2BUNdhPK for <tcpm@core3.amsl.com>; Wed, 2 Sep 2009 22:05:41 -0700 (PDT)
Received: from smtp1.xmundo.net (smtp1.xmundo.net [201.216.232.80]) by core3.amsl.com (Postfix) with ESMTP id 0E08E3A688C for <tcpm@ietf.org>; Wed, 2 Sep 2009 22:05:40 -0700 (PDT)
Received: from venus.xmundo.net (venus.xmundo.net [201.216.232.56]) by smtp1.xmundo.net (Postfix) with ESMTP id 1AB8F6B677D; Thu, 3 Sep 2009 01:48:59 -0300 (ART)
Received: from [192.168.0.136] (129-130-17-190.fibertel.com.ar [190.17.130.129]) (authenticated bits=0) by venus.xmundo.net (8.14.1/8.14.1) with ESMTP id n834mcnq013315; Thu, 3 Sep 2009 01:48:39 -0300
Message-ID: <4A9F4AB1.6070605@gont.com.ar>
Date: Thu, 03 Sep 2009 01:48:49 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: "Smith, Donald" <Donald.Smith@qwest.com>
References: <F1534040-EA0D-44E4-98F7-67C24CD12CCF@windriver.com> <B01905DA0C7CDC478F42870679DF0F1005B64E383D@qtdenexmbm24.AD.QINTRA.COM>
In-Reply-To: <B01905DA0C7CDC478F42870679DF0F1005B64E383D@qtdenexmbm24.AD.QINTRA.COM>
X-Enigmail-Version: 0.95.7
OpenPGP: id=D076FFF1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (venus.xmundo.net [201.216.232.56]); Thu, 03 Sep 2009 01:48:58 -0300 (ART)
Cc: 'tcpm Extensions WG' <tcpm@ietf.org>, 'David Borman' <david.borman@windriver.com>
Subject: Re: [tcpm] WG Last Call for ICMP Attacks
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Sep 2009 05:05:43 -0000
Hello, Donald, Thanks so much for your feedback! Comments inline.... (I have removed those comments that I will apply and didn't need further clarification...) Smith, Donald wrote: > 1. ICMP [RFC0792] is a fundamental part of the TCP/IP protocol suite, > and is used mainly for reporting network error conditions. > > ICMP is part of the IP protocol suite. The protocol suite is referred to as "TCP/IP"... > 2.2 Therefore, in the case of TCP, an attacker could send a forged > ICMP message to the attacked system, and, as long as he is able to > guess the four-tuple (i.e., Source IP Address, Source TCP port, > Destination IP Address, and Destination TCP port) that identifies the > communication instance to be attacked, he will be able to use ICMP > to perform a variety of attacks. > > Forged usually implies that source ip address has been spoofed > usually to come from some type of trusted host. Crafted is the term [...] I'll adopt the term/phrase you and Joe have converged to. > 4.1 Many TCP implementations have incorporated a validation check so > makes TCP react only to those ICMP error messages elicited by > segments that were "in-flight" to the destination system. > > Grammer and minor correction for elicited: Many TCP implementations > have incorporated a validation check to make TCP react only to those > ICMP error messages that appear to have been caused by segments that > were "in-flight" to the destination system. Does "elicited" sound bad? (english as a second language here, sorry) > 5.2 Assuming that once a connection is established it is not usual > for the transport protocol to change (or be reloaded), it should be > unusual to get these error messages. Should be: Assuming that once a > connection is established it is usual for the transport protocol to > change (or be reloaded), it should be unusual to get these error > messages. > > > ...(still 5.2) > > ICMPv6 type 1 (Destination Unreachable), code 1 (communication with > destination administratively prohibited) > > This error message indicates that the destination is unreachable > because of an administrative policy. For connection-oriented > protocols such as TCP, one could expect to receive such an error as > the result of a connection-establishment attempt. Receiving such an > error for a connection in any of the synchronized states would mean > that the administrative policy changed during the life of the > connection. However, in the same way this error condition (which was > not present when the conenction was established) appeared, it could > get solved solved in the near term. > > This actually does occur in some cases where bruteforce password > attempts causes a tool such as fail2ban to block access. and > connection not conenction. Ok. Will add a note on this. If you have any proposed text, please let me know. > 7.1 The PMTUD mechanism for IPv4 uses the Don't Fragment (DF) bit in > the IP header to dynamically discover the Path MTU. The basic idea > behind the PMTUD mechanism is that a source system assumes that the > MTU of the path is that of the first hop, and sends all its datagrams > with the DF bit set. If any of the datagrams is too large to be > forwarded without fragmentation by some intermediate router, the > router will discard the corresponding datagram, and will return an > ICMP "Destination Unreachable" (type 3) "fragmentation neeed and DF > set" (code 4) error message to the sending system. This message will > report the MTU of the constricting hop, so that the sending system > can reduce the assumed Path-MTU accordingly. > > Spelling and grammer: If any of the datagrams is too large -> If any > of the datagrams are too large. mmmm... aren't we meaning that "as long as *one* of them is too large"? > As discussed in both [RFC1191] and [RFC1981], the Path-MTU Discovery > mechanism can be used to attack TCP. An attacker could send a forged > ICMP "Destination Unreachable, fragmentation needed and DF set" > packet (or their ICMPv6 counterpart) to the sending system, > advertising a small Next-Hop MTU. As a result, the attacked system > would reduce the size of the packets it sends for the corresponding > connection accordingly. > > Again I would suggest crafted instead of forged. Well, even with the discussion you provided about "forged" vs. "crafted", the attacker does forge the IP/TCP packet contained in the ICMP payload... Thanks so much! Kind regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
- [tcpm] WG Last Call for ICMP Attacks David Borman
- Re: [tcpm] WG Last Call for ICMP Attacks Smith, Donald
- Re: [tcpm] WG Last Call for ICMP Attacks Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks Smith, Donald
- Re: [tcpm] WG Last Call for ICMP Attacks Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks Fernando Gont
- Re: [tcpm] WG Last Call for ICMP Attacks toby.moncaster
- Re: [tcpm] WG Last Call for ICMP Attacks Fernando Gont
- Re: [tcpm] WG Last Call for ICMP Attacks Smith, Donald
- Re: [tcpm] WG Last Call for ICMP Attacks Fernando Gont
- Re: [tcpm] WG Last Call for ICMP Attacks Smith, Donald
- Re: [tcpm] WG Last Call for ICMP Attacks Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks Fernando Gont
- Re: [tcpm] WG Last Call for ICMP Attacks Lars Eggert
- Re: [tcpm] WG Last Call for ICMP Attacks Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks Carlos Pignataro
- Re: [tcpm] WG Last Call for ICMP Attacks Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks Carlos Pignataro
- Re: [tcpm] WG Last Call for ICMP Attacks Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks Carlos Pignataro
- Re: [tcpm] WG Last Call for ICMP Attacks Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks Anantha Ramaiah (ananth)
- Re: [tcpm] WG Last Call for ICMP Attacks Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks Fernando Gont