IETF Logo Mail Archive

RE: [tcpm] feedcback on tcp-secure-05

"Anantha Ramaiah \(ananth\)" <ananth@cisco.com> Tue, 18 July 2006 02:34 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G2fPq-00035b-9W; Mon, 17 Jul 2006 22:34:30 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G2fPo-00033K-5B for tcpm@ietf.org; Mon, 17 Jul 2006 22:34:28 -0400
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G2fOJ-0007ww-73 for tcpm@ietf.org; Mon, 17 Jul 2006 22:32:56 -0400
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-2.cisco.com with ESMTP; 17 Jul 2006 19:32:55 -0700
X-IronPort-AV: i="4.06,253,1149490800"; d="scan'208"; a="329604396:sNHT28665994"
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-1.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k6I2WsH4001386; Mon, 17 Jul 2006 19:32:54 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id k6I2WrJi006992; Mon, 17 Jul 2006 19:32:53 -0700 (PDT)
Received: from xmb-sjc-21c.amer.cisco.com ([171.70.151.176]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 17 Jul 2006 19:32:53 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [tcpm] feedcback on tcp-secure-05
Date: Mon, 17 Jul 2006 19:32:52 -0700
Message-ID: <0C53DCFB700D144284A584F54711EC5801DF8827@xmb-sjc-21c.amer.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] feedcback on tcp-secure-05
Thread-Index: AcaprbZOVXuVb08gR4qFs6D1JlymzQAYC+VQ
From: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
To: Joe Touch <touch@ISI.EDU>
X-OriginalArrivalTime: 18 Jul 2006 02:32:53.0725 (UTC) FILETIME=[78AB18D0:01C6AA12]
DKIM-Signature: a=rsa-sha1; q=dns; l=4338; t=1153189974; x=1154053974; c=relaxed/simple; s=sjdkim1002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=ananth@cisco.com; z=From:=22Anantha=20Ramaiah=20\(ananth\)=22=20<ananth@cisco.com> |Subject:RE=3A=20[tcpm]=20feedcback=20on=20tcp-secure-05; X=v=3Dcisco.com=3B=20h=3DCeksYhPTKiajql2H6p2yZiTQwso=3D; b=ekJ0O1t7kZMGYIKffrvL07f/X4/G7veE4HDe7F3s251uGeCBAEBD5huOazDxiRrFRMJHgeBV 91iHHf4e+z3q+FfiN3/J3EWQUN+m03G8LEzBzRimA8Q4dhCn/2PUBRe5;
Authentication-Results: sj-dkim-1.cisco.com; header.From=ananth@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 36c793b20164cfe75332aa66ddb21196
Cc: tcpm@ietf.org, Fernando Gont <fernando@gont.com.ar>
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org

 

> -----Original Message-----
> From: Joe Touch [mailto:touch@ISI.EDU] 
> Sent: Monday, July 17, 2006 7:31 AM
> To: Anantha Ramaiah (ananth)
> Cc: Fernando Gont; tcpm@ietf.org
> Subject: Re: [tcpm] feedcback on tcp-secure-05
> 
> 
> 
> Anantha Ramaiah (ananth) wrote:
> ..
> > Another point to note is that TCP SHOULD act (not a MUST) on ICMP 
> > reported hard errors. Also in some cases like "port 
> unreachable" can 
> > be ignored since TCP uses the RST for the purpose of port 
> unreachability.
> > This is as per RFC 1122. 
> 
> 1122 actually states exactly the opposite:
> 
>             A transport protocol
>             that has its own mechanism for notifying the sender that a
>             port is unreachable (e.g., TCP, which sends RST segments)
>             MUST nevertheless accept an ICMP Port Unreachable for the
>             same purpose.

Yep, I stand corrected but one of main points above was to point out the
SHOULD language (which makes sense) instead of MUST.

> 
> > - Some applications would chose to ignore the so called hard errors 
> > for a TCP connection. In other words the behaviour can be 
> controlled 
> > by a CLI and the default would be to ignore this hard 
> errors. So the 
> > connection reset wouldn't happen.
> 
> The default SHOULD be to act on hard errors unless overridden 
> by the application; to do otherwise would be to redefine 1122 
> in this regard.

Going neutral here, since the systems which I have worked do ignore them
by default and it isn't an RFC voilation.

As per RFC 2119 :

"3. SHOULD   This word, or the adjective "RECOMMENDED", mean that there
   may exist valid reasons in particular circumstances to ignore a
   particular item, but the full implications must be understood and
   carefully weighed before choosing a different course."

Most of the applications would like to have a say in the treatment of
ICMP errors by requesting the errors to be passed to it and then
determine the course of action to take. For the ICMP hard errors
described, the action generally doesn't result in connection closure and
also some applications don't even register for some of the hard errors
and also expect TCP not to close the connection instead silently ignore
them
Actually application or TCP level keepalives or retransmission timeouts
act as a catalyst for the connection closure generally and not ICMP
errors. But YMMV and I do not intend to argue on this point. Just
stating my experience.

> 
> ...
> > I guess my point is ICMP attacks may be a weakest link, but 
> wouldn't 
> > cause connection resets with proper installed workarounds in place. 
> > Yes, I mean without voilating the current RFC's.
> 
> Those workarounds MUST be in place, or they ARE the weakest 
> link. That's the point that this document must discuss at least.

I don't think that tcpsecure document should discuss these workarounds
or advise anything of that sort. It is always good to keep the scope of
the document right and tight.

> 
> > Also with or without ICMP mitigations in place, one could 
> still cause 
> > a TCP connection to RESET, if the mitigations described in 
> tcp-secure 
> > isn't present.
> 
> Without ICMP protection, why bother with a RST when the ICMP 
> is _easier_ to generate?

Easier to generate but workarounds can be planted if necessary like I
have described in earlier emails. On the other hand there aren't any
known "generic workarounds" available for the issues described in
tcp-secure. I say generic workarounds since MD5 is used only by a
handful of applications like BGP, LDP and is a costly workaround and 

Anyways just to summarize :

The tcp-secure document, can, at the most state something informative
like "ICMP attacks aren't covered in this document blah blah..." and
provide a pointer to the icmp draft if needed.

To suggest about blocking ICMP etc., calls for stretching too far the
scope of the doc and also it introduces obvious incompleteness. What if
somebody wants to provide some pointer and suggest some
blocking/mitigation mechanisms for something else..? I see no end to
this that way..

Agree/dis-agree ?

:)
-Anantha
> 
> Joe
> 
> 

_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email