IETF Logo Mail Archive

Re: [tcpm] Some comments on tcpsecure

Joe Touch <touch@ISI.EDU> Fri, 04 April 2008 20:21 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D49813A6969; Fri, 4 Apr 2008 13:21:37 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 62E103A68BA for <tcpm@core3.amsl.com>; Fri, 4 Apr 2008 13:21:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4wNELlzrCnF0 for <tcpm@core3.amsl.com>; Fri, 4 Apr 2008 13:21:35 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 8CF633A6969 for <tcpm@ietf.org>; Fri, 4 Apr 2008 13:21:35 -0700 (PDT)
Received: from [127.0.0.1] (193.sub-70-212-209.myvzw.com [70.212.209.193]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m34KLS9i029045 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 4 Apr 2008 13:21:29 -0700 (PDT)
Message-ID: <47F68DC7.2050303@isi.edu>
Date: Fri, 04 Apr 2008 13:21:27 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: Fernando Gont <fernando@gont.com.ar>
References: <200804041832.m34IWTC5025090@venus.xmundo.net> <47F68794.6050100@isi.edu> <200804042012.m34KCk8U022643@venus.xmundo.net>
In-Reply-To: <200804042012.m34KCk8U022643@venus.xmundo.net>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org
Subject: Re: [tcpm] Some comments on tcpsecure
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0048871778=="
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org


Fernando Gont wrote:
> At 04:55 p.m. 04/04/2008, Joe Touch wrote:
> 
>>> The first one is the ICMP attacks draft 
>>> (draft-ietf-tcpm-icmp-attacks). While tcpsecure mentions the security 
>>> implications of ICMP on TCP conenctions, it does not reference the 
>>> I-D. IIRC, this had already been pointed out by Joe (?). As far as 
>>> the specifications are concerned, you shouldn't bother to fix 
>>> TCP-based reset attacks if you don't fix the the ICMP-based ones.
>>
>> Agreed; should this doc recommend filtering out ICMPs as a result? 
>> (there's no in-window checks that are meaningful, since ICMPs are not 
>> guaranteed to be timely) I.e., something stronger than "there's 
>> nothing we can do", which is what is implied in the current security 
>> considerations.
> 
> Ha... So we have been arguing about the ICMP stuff for almost four years 
> on the idea that it is too aggressive to require ICMP error messages to 
> be in-window, and now we're going to propose to filter them out? 

ICMPs are already filtered out for security reasons at firewalls. The 
key here is whether to recommend that action or not.

As to filtering them when they're in- vs out- of window, the issue there 
is whether that even means anything. The point is that with arbitrary 
delays, the location of an ICMP's TCP header with respect to the current 
outstanding window has no useful meaning, so it cannot (and thus should 
not) serve as a useful descriminator.

 > Seems
> ironic to me. (And you cannot do it with "frag needed and DF bit set". 
> Well, you *could* implement the new PMTUD that does not rely on ICMP 
> error messages. But ignoring ICMP error messages will increse the PMTUD 
> convergence time).
> 
> And, for what is worth, strictly speaking there's no such a thing as a 
> TCP MSL, either. TCP's MSL is based on the assumption that the IP TTL is 
> decremented at least once every second. And this is not warranted, 
> either. There's not such enforcement as there is in, e.g., Delta-t.

If there's no MSL, then that's even more reason not to use window 
information to determine the validity of an ICMP. At that point, not 
only might you be receiving a very old ICMP, you might be receiving a 
very recent ICMP for a very old TCP segment.

>>> The other doc is the port randomization draft 
>>> (draft-tsvwg-port-randomization).
>>
>> Also ISN randomization (RFC-1948), for similar reasons. Even though 
>> some of the RST attacks span the entire window, knowing the ISN can 
>> help during the initial handshake and shortly thereafter.
> 
> Agreed. (Although the math in "Slipping in the window" does not assume 
> the attacker can predict the ISN).

Right - it's not nearly as important as the port randomization for this 
case.

Joe


_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm

v2.31.3 | Report a Bug | By Email | System Status