Re: [tcpm] TCP-AO and ICMP attacks (was Re: comments on draft-ietf-tcpm-icmp-attacks-05)

Joe Touch <touch@ISI.EDU> Wed, 17 June 2009 01:28 UTC

Return-Path: <touch@ISI.EDU>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C4A353A6DC1 for <tcpm@core3.amsl.com>; Tue, 16 Jun 2009 18:28:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6hKh5DXLgwcu for <tcpm@core3.amsl.com>; Tue, 16 Jun 2009 18:28:07 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 17D033A6B55 for <tcpm@ietf.org>; Tue, 16 Jun 2009 18:28:00 -0700 (PDT)
Received: from [128.9.184.173] ([128.9.184.173]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n5H1RsVB022677; Tue, 16 Jun 2009 18:27:56 -0700 (PDT)
Message-ID: <4A38469A.2070102@isi.edu>
Date: Tue, 16 Jun 2009 18:27:54 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Fernando Gont <fernando@gont.com.ar>
References: <C304DB494AC0C04C87C6A6E2FF5603DB221796D53C@NDJSSCC01.ndc.nasa.gov> <4A30BED6.3050308@gont.com.ar> <4A32BD5F.5030503@isi.edu> <4A379700.3070808@gont.com.ar> <4A37A551.60800@isi.edu> <4A37D6FC.4040005@gont.com.ar> <4A37E494.60904@isi.edu> <4A37EDEC.1030908@gont.com.ar> <4A38078F.2040703@isi.edu> <4A38191D.4010604@gont.com.ar> <4A382448.7080705@isi.edu> <4A382A08.1020302@gont.com.ar> <4A383539.3080403@isi.edu> <4A383D44.4050103@gont.com.ar>
In-Reply-To: <4A383D44.4050103@gont.com.ar>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: "tcpm@ietf.org" <tcpm@ietf.org>, Fernando Gont <fernando.gont@gmail.com>
Subject: Re: [tcpm] TCP-AO and ICMP attacks (was Re: comments on draft-ietf-tcpm-icmp-attacks-05)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2009 01:28:13 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Fernando Gont wrote:
> Joe,
> 
>> I think we both agree that the text on ICMP handling should be moved out
>> of the security considerations section and put it its own section.
> 
> Agreed.
> 
> 
>> You prefer defaults, and are recommending ICMP handling similar to that
>> in documents the WG has decided not to recommend for TCP not running AO.
> 
> Yes. Note that virtually all real implementations already do this for
> connections that do not use TCP-AO. Nobody is going to change this for
> non-TCP-AO, or even less abort TCP-AO connections in response to ICMP
> error messages.

This document is standards track, and is not intended to validate the
behavior of those implementations. It also doesn't invalidate them.

Note that I am NOT saying that the default is "ICMPs pass" - I said
NOTHING about a default, just like IPsec says nothing.

>> I want to leave TCP-AO's handling of ICMPs the same as IPsec's - up to
>> the user.
> 
> Just making my point clear: I think leaving unspecified what to do with
> ICMP errore messages would be a bad decision. It might end up with
> implementations honoring these error messages, which would mean that
> TCP-AO would be (by default) useless for protecting TCP against
> ICMP-based reset attacks.

TCP-AO does not have a default for connections without keys either.
IPsec does - they're blocked. If we're not having a default for new
connections, we shouldn't have a default for ICMP.

Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAko4RpoACgkQE5f5cImnZrvAUgCfVtwiAvkuJ300eu7bc3XY6MJg
+8MAniF7ffrDTRa8TyLVb/k3lzX0caET
=B8Em
-----END PGP SIGNATURE-----