Re: [tcpm] TCP-AO and ICMP attacks (was Re: comments on draft-ietf-tcpm-icmp-attacks-05)

Joe Touch <touch@ISI.EDU> Wed, 17 June 2009 01:28 UTC

Return-Path: <touch@ISI.EDU>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C4A353A6DC1 for <>; Tue, 16 Jun 2009 18:28:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6hKh5DXLgwcu for <>; Tue, 16 Jun 2009 18:28:07 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 17D033A6B55 for <>; Tue, 16 Jun 2009 18:28:00 -0700 (PDT)
Received: from [] ([]) by (8.13.8/8.13.8) with ESMTP id n5H1RsVB022677; Tue, 16 Jun 2009 18:27:56 -0700 (PDT)
Message-ID: <>
Date: Tue, 16 Jun 2009 18:27:54 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird (Windows/20090302)
MIME-Version: 1.0
To: Fernando Gont <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
Cc: "" <>, Fernando Gont <>
Subject: Re: [tcpm] TCP-AO and ICMP attacks (was Re: comments on draft-ietf-tcpm-icmp-attacks-05)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 17 Jun 2009 01:28:13 -0000

Hash: SHA1

Fernando Gont wrote:
> Joe,
>> I think we both agree that the text on ICMP handling should be moved out
>> of the security considerations section and put it its own section.
> Agreed.
>> You prefer defaults, and are recommending ICMP handling similar to that
>> in documents the WG has decided not to recommend for TCP not running AO.
> Yes. Note that virtually all real implementations already do this for
> connections that do not use TCP-AO. Nobody is going to change this for
> non-TCP-AO, or even less abort TCP-AO connections in response to ICMP
> error messages.

This document is standards track, and is not intended to validate the
behavior of those implementations. It also doesn't invalidate them.

Note that I am NOT saying that the default is "ICMPs pass" - I said
NOTHING about a default, just like IPsec says nothing.

>> I want to leave TCP-AO's handling of ICMPs the same as IPsec's - up to
>> the user.
> Just making my point clear: I think leaving unspecified what to do with
> ICMP errore messages would be a bad decision. It might end up with
> implementations honoring these error messages, which would mean that
> TCP-AO would be (by default) useless for protecting TCP against
> ICMP-based reset attacks.

TCP-AO does not have a default for connections without keys either.
IPsec does - they're blocked. If we're not having a default for new
connections, we shouldn't have a default for ICMP.

Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -