RE: [tcpm] feedcback on tcp-secure-05
"Anantha Ramaiah \(ananth\)" <ananth@cisco.com> Tue, 18 July 2006 02:34 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G2fPq-00035b-9W; Mon, 17 Jul 2006 22:34:30 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G2fPo-00033K-5B for tcpm@ietf.org; Mon, 17 Jul 2006 22:34:28 -0400
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G2fOJ-0007ww-73 for tcpm@ietf.org; Mon, 17 Jul 2006 22:32:56 -0400
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-2.cisco.com with ESMTP; 17 Jul 2006 19:32:55 -0700
X-IronPort-AV: i="4.06,253,1149490800"; d="scan'208"; a="329604396:sNHT28665994"
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-1.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k6I2WsH4001386; Mon, 17 Jul 2006 19:32:54 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id k6I2WrJi006992; Mon, 17 Jul 2006 19:32:53 -0700 (PDT)
Received: from xmb-sjc-21c.amer.cisco.com ([171.70.151.176]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 17 Jul 2006 19:32:53 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [tcpm] feedcback on tcp-secure-05
Date: Mon, 17 Jul 2006 19:32:52 -0700
Message-ID: <0C53DCFB700D144284A584F54711EC5801DF8827@xmb-sjc-21c.amer.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] feedcback on tcp-secure-05
Thread-Index: AcaprbZOVXuVb08gR4qFs6D1JlymzQAYC+VQ
From: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
To: Joe Touch <touch@ISI.EDU>
X-OriginalArrivalTime: 18 Jul 2006 02:32:53.0725 (UTC) FILETIME=[78AB18D0:01C6AA12]
DKIM-Signature: a=rsa-sha1; q=dns; l=4338; t=1153189974; x=1154053974; c=relaxed/simple; s=sjdkim1002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=ananth@cisco.com; z=From:=22Anantha=20Ramaiah=20\(ananth\)=22=20<ananth@cisco.com> |Subject:RE=3A=20[tcpm]=20feedcback=20on=20tcp-secure-05; X=v=3Dcisco.com=3B=20h=3DCeksYhPTKiajql2H6p2yZiTQwso=3D; b=ekJ0O1t7kZMGYIKffrvL07f/X4/G7veE4HDe7F3s251uGeCBAEBD5huOazDxiRrFRMJHgeBV 91iHHf4e+z3q+FfiN3/J3EWQUN+m03G8LEzBzRimA8Q4dhCn/2PUBRe5;
Authentication-Results: sj-dkim-1.cisco.com; header.From=ananth@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 36c793b20164cfe75332aa66ddb21196
Cc: tcpm@ietf.org, Fernando Gont <fernando@gont.com.ar>
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org
> -----Original Message----- > From: Joe Touch [mailto:touch@ISI.EDU] > Sent: Monday, July 17, 2006 7:31 AM > To: Anantha Ramaiah (ananth) > Cc: Fernando Gont; tcpm@ietf.org > Subject: Re: [tcpm] feedcback on tcp-secure-05 > > > > Anantha Ramaiah (ananth) wrote: > .. > > Another point to note is that TCP SHOULD act (not a MUST) on ICMP > > reported hard errors. Also in some cases like "port > unreachable" can > > be ignored since TCP uses the RST for the purpose of port > unreachability. > > This is as per RFC 1122. > > 1122 actually states exactly the opposite: > > A transport protocol > that has its own mechanism for notifying the sender that a > port is unreachable (e.g., TCP, which sends RST segments) > MUST nevertheless accept an ICMP Port Unreachable for the > same purpose. Yep, I stand corrected but one of main points above was to point out the SHOULD language (which makes sense) instead of MUST. > > > - Some applications would chose to ignore the so called hard errors > > for a TCP connection. In other words the behaviour can be > controlled > > by a CLI and the default would be to ignore this hard > errors. So the > > connection reset wouldn't happen. > > The default SHOULD be to act on hard errors unless overridden > by the application; to do otherwise would be to redefine 1122 > in this regard. Going neutral here, since the systems which I have worked do ignore them by default and it isn't an RFC voilation. As per RFC 2119 : "3. SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course." Most of the applications would like to have a say in the treatment of ICMP errors by requesting the errors to be passed to it and then determine the course of action to take. For the ICMP hard errors described, the action generally doesn't result in connection closure and also some applications don't even register for some of the hard errors and also expect TCP not to close the connection instead silently ignore them Actually application or TCP level keepalives or retransmission timeouts act as a catalyst for the connection closure generally and not ICMP errors. But YMMV and I do not intend to argue on this point. Just stating my experience. > > ... > > I guess my point is ICMP attacks may be a weakest link, but > wouldn't > > cause connection resets with proper installed workarounds in place. > > Yes, I mean without voilating the current RFC's. > > Those workarounds MUST be in place, or they ARE the weakest > link. That's the point that this document must discuss at least. I don't think that tcpsecure document should discuss these workarounds or advise anything of that sort. It is always good to keep the scope of the document right and tight. > > > Also with or without ICMP mitigations in place, one could > still cause > > a TCP connection to RESET, if the mitigations described in > tcp-secure > > isn't present. > > Without ICMP protection, why bother with a RST when the ICMP > is _easier_ to generate? Easier to generate but workarounds can be planted if necessary like I have described in earlier emails. On the other hand there aren't any known "generic workarounds" available for the issues described in tcp-secure. I say generic workarounds since MD5 is used only by a handful of applications like BGP, LDP and is a costly workaround and Anyways just to summarize : The tcp-secure document, can, at the most state something informative like "ICMP attacks aren't covered in this document blah blah..." and provide a pointer to the icmp draft if needed. To suggest about blocking ICMP etc., calls for stretching too far the scope of the doc and also it introduces obvious incompleteness. What if somebody wants to provide some pointer and suggest some blocking/mitigation mechanisms for something else..? I see no end to this that way.. Agree/dis-agree ? :) -Anantha > > Joe > > _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05 Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Ted Faber
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Mitesh Dalal (mdalal)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch
- Re: [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch