RE: [tcpm] feedcback on tcp-secure-05
"Anantha Ramaiah \(ananth\)" <ananth@cisco.com> Sat, 15 July 2006 22:59 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G1t6r-0007PF-Ac; Sat, 15 Jul 2006 18:59:41 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G1t6p-0007JL-Ul for tcpm@ietf.org; Sat, 15 Jul 2006 18:59:39 -0400
Received: from sj-iport-1-in.cisco.com ([171.71.176.70] helo=sj-iport-1.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G1t6o-0002pt-KA for tcpm@ietf.org; Sat, 15 Jul 2006 18:59:39 -0400
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-1.cisco.com with ESMTP; 15 Jul 2006 15:59:38 -0700
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-3.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k6FMxbBR018541; Sat, 15 Jul 2006 15:59:37 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id k6FMxbJi018713; Sat, 15 Jul 2006 15:59:37 -0700 (PDT)
Received: from xmb-sjc-21c.amer.cisco.com ([171.70.151.176]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sat, 15 Jul 2006 15:59:37 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [tcpm] feedcback on tcp-secure-05
Date: Sat, 15 Jul 2006 15:59:36 -0700
Message-ID: <0C53DCFB700D144284A584F54711EC5801D95F1A@xmb-sjc-21c.amer.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] feedcback on tcp-secure-05
Thread-Index: AcaoUmo0Txay4YXTSvK2OMo/ADSDlwACpFMQ
From: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
To: Fernando Gont <fernando@gont.com.ar>, Joe Touch <touch@ISI.EDU>, tcpm@ietf.org
X-OriginalArrivalTime: 15 Jul 2006 22:59:37.0587 (UTC) FILETIME=[58BFE430:01C6A862]
DKIM-Signature: a=rsa-sha1; q=dns; l=2246; t=1153004377; x=1153868377; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=ananth@cisco.com; z=From:=22Anantha=20Ramaiah=20\(ananth\)=22=20<ananth@cisco.com> |Subject:RE=3A=20[tcpm]=20feedcback=20on=20tcp-secure-05; X=v=3Dcisco.com=3B=20h=3DCeksYhPTKiajql2H6p2yZiTQwso=3D; b=I1vvNbe8vVgA3GJuY22MTWdsX5g3fjOwqsDsLJStOBNI6NphtT89ypus3Uf4UtT4FrzSW83S aWgrV4mzz+lqrlQUc1vdnDsB0jDnS4cpjUzoV/cGOZXjuiupHDwawgPt;
Authentication-Results: sj-dkim-3.cisco.com; header.From=ananth@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f60d0f7806b0c40781eee6b9cd0b2135
Cc:
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org
Fernando, > -----Original Message----- > From: Fernando Gont [mailto:fernando@gont.com.ar] > Sent: Saturday, July 15, 2006 11:43 AM > To: Anantha Ramaiah (ananth); Joe Touch; tcpm@ietf.org > Subject: RE: [tcpm] feedcback on tcp-secure-05 > > At 15:04 13/07/2006, Anantha Ramaiah \(ananth\) wrote: > > > > The doc should also indicate that preventing these > attacks does NOT > > > prevent ICMP attacks (and cite Gont's draft in this regard); it > > > would be useful for the security considerations to > address whether > > > ICMPs should be blocked altogether and what the impact of > that would > > > be. Without such blocking, it's not clear what the > utility of this > > > solution would be. > > > >Ok. > > I don't think tcpsecure should make any advice on what to do > with ICMP. > > Just make it clear that the introduced mechanisms do not > prevent ICMP-based attacks against TCP, and provide a pointer > to draft-ietf-tcpm-icmp-attacks-00.txt . I agree.. May be we should just say something like : "The mitigations discussed in this document does not prevent ICMP attacks" and provide a citation to your document. One of the reasons why it was felt that the above isn't necessary is because : tcpsecure refers Joe's antispoof which in turn refers your document. > > If you are going to make any other statement on this issue, > state that the ICMP-based attacks are easier to perform, and > thus should be mitigated (if not, it's ICMP that is the > "weakest link in the chain"). > > You could also add that, fortunately, virtually every > implementation has mitigated the ICMP attacks described in > draft-ietf-tcpm-icmp-attacks-00.txt, by implementing most (if not > all) the counter-measures described in that draft. We really don't want to cause a bloat to the security considerations section. Also the scope the document is limited and it is better to stick to that. -Anantha > > Kindest regards, > > > -- > Fernando Gont > e-mail: fernando@gont.com.ar || fgont@acm.org PGP > Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 > > > > _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05 Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Ted Faber
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Mitesh Dalal (mdalal)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch
- Re: [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch