Re: tcpm-antispoof and TCP's weakness [Re: [tcpm] ICMP attacks draft (issue 1): hard errors -> soft errors (in synchronized states)]
Joe Touch <touch@ISI.EDU> Sun, 02 October 2005 03:53 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELuuQ-0002vj-PB; Sat, 01 Oct 2005 23:53:06 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELuuH-0002tl-1G for tcpm@megatron.ietf.org; Sat, 01 Oct 2005 23:53:02 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA11932 for <tcpm@ietf.org>; Sat, 1 Oct 2005 23:52:53 -0400 (EDT)
Received: from boreas.isi.edu ([128.9.160.161]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ELv2S-00080H-AO for tcpm@ietf.org; Sun, 02 Oct 2005 00:01:25 -0400
Received: from [128.9.176.133] (ras33.isi.edu [128.9.176.133]) by boreas.isi.edu (8.11.6p2+0917/8.11.2) with ESMTP id j923psL21815; Sat, 1 Oct 2005 20:51:54 -0700 (PDT)
Message-ID: <433F5958.5070408@isi.edu>
Date: Sat, 01 Oct 2005 20:51:52 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Pekka Savola <pekkas@netcore.fi>
Subject: Re: tcpm-antispoof and TCP's weakness [Re: [tcpm] ICMP attacks draft (issue 1): hard errors -> soft errors (in synchronized states)]
References: <6.2.0.14.0.20050923075214.0428faa8@pop.frh.utn.edu.ar> <433411E2.3020005@isi.edu> <6.2.0.14.0.20050923125332.04320008@pop.frh.utn.edu.ar> <20050923165017.GD10959@pun.isi.edu> <6.2.0.14.0.20050927015438.07c2a418@pop.frh.utn.edu.ar> <20050930174011.GK999@pun.isi.edu> <6.2.0.14.0.20050930150854.0592eee0@pop.frh.utn.edu.ar> <433D85BD.4020204@isi.edu> <Pine.LNX.4.61.0510010830320.31739@netcore.fi>
In-Reply-To: <Pine.LNX.4.61.0510010830320.31739@netcore.fi>
X-Enigmail-Version: 0.92.0.0
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0a7aa2e6e558383d84476dc338324fab
Cc: tcpm@ietf.org, Fernando Gont <fernando@gont.com.ar>
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1094329119=="
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
Pekka Savola wrote: > On Fri, 30 Sep 2005, Joe Touch wrote: > >>> "The strength of a chain is that of the weakest link", I mean. >> >> >> But TCP-antispoof explains that the chain is already sufficiently weak >> in many cases even if you try to fix ICMP. > > > While you as an editor of a WG document may have such an individual > opinion, I didn't get that impression from the draft, and I'd like to > see the draft changed if that was the intended tone. My sentence above should have implied "whether you fix ICMP or not". I do feel that's the case, but I agree that the doc didn't address that - mostly because this issue wasn't the focus of that doc. If it is agreed, I'd be glad to add that or something to that effect. > While the TCP's security (not considering ICMPs) is not very strong, I > do not think it can be classified as "weak" either, especially in > scenarios where certain insecurities of IP (e.g., source address > spoofing) can be eliminated. Cases where source address spoofing can be eliminated amount to real security, either by signatures or by trusted edge filtering. I would conclude that TCP doesn't have security (because it doesn't), and that this weakness can be made strong by using real security (TCP/MD5, IPsec). These help ICMP only where the entire payload is included in the ICMP reply - which goes back to the point I made earlier about validation needing to do the same thing, BTW. Joe
_______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] ICMP attacks draft (issue 1): hard errors … Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Ted Faber
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Lloyd Wood
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Jakob Heitz
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Ted Faber
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Fernando Gont
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Lloyd Wood
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Ted Faber
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Ted Faber
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Ted Faber
- Re: [tcpm] ICMP attacks draft (issue 1): hard err… Joe Touch
- tcpm-antispoof and TCP's weakness [Re: [tcpm] ICM… Pekka Savola
- Re: tcpm-antispoof and TCP's weakness [Re: [tcpm]… Joe Touch
- Re: tcpm-antispoof and TCP's weakness [Re: [tcpm]… Pekka Savola