IETF Logo Mail Archive

RE: [tcpm] feedcback on tcp-secure-05

"Anantha Ramaiah \(ananth\)" <ananth@cisco.com> Sat, 15 July 2006 22:59 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G1t6r-0007PF-Ac; Sat, 15 Jul 2006 18:59:41 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G1t6p-0007JL-Ul for tcpm@ietf.org; Sat, 15 Jul 2006 18:59:39 -0400
Received: from sj-iport-1-in.cisco.com ([171.71.176.70] helo=sj-iport-1.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G1t6o-0002pt-KA for tcpm@ietf.org; Sat, 15 Jul 2006 18:59:39 -0400
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-1.cisco.com with ESMTP; 15 Jul 2006 15:59:38 -0700
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-3.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k6FMxbBR018541; Sat, 15 Jul 2006 15:59:37 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id k6FMxbJi018713; Sat, 15 Jul 2006 15:59:37 -0700 (PDT)
Received: from xmb-sjc-21c.amer.cisco.com ([171.70.151.176]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sat, 15 Jul 2006 15:59:37 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [tcpm] feedcback on tcp-secure-05
Date: Sat, 15 Jul 2006 15:59:36 -0700
Message-ID: <0C53DCFB700D144284A584F54711EC5801D95F1A@xmb-sjc-21c.amer.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] feedcback on tcp-secure-05
Thread-Index: AcaoUmo0Txay4YXTSvK2OMo/ADSDlwACpFMQ
From: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
To: Fernando Gont <fernando@gont.com.ar>, Joe Touch <touch@ISI.EDU>, tcpm@ietf.org
X-OriginalArrivalTime: 15 Jul 2006 22:59:37.0587 (UTC) FILETIME=[58BFE430:01C6A862]
DKIM-Signature: a=rsa-sha1; q=dns; l=2246; t=1153004377; x=1153868377; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=ananth@cisco.com; z=From:=22Anantha=20Ramaiah=20\(ananth\)=22=20<ananth@cisco.com> |Subject:RE=3A=20[tcpm]=20feedcback=20on=20tcp-secure-05; X=v=3Dcisco.com=3B=20h=3DCeksYhPTKiajql2H6p2yZiTQwso=3D; b=I1vvNbe8vVgA3GJuY22MTWdsX5g3fjOwqsDsLJStOBNI6NphtT89ypus3Uf4UtT4FrzSW83S aWgrV4mzz+lqrlQUc1vdnDsB0jDnS4cpjUzoV/cGOZXjuiupHDwawgPt;
Authentication-Results: sj-dkim-3.cisco.com; header.From=ananth@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f60d0f7806b0c40781eee6b9cd0b2135
Cc:
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org

Fernando, 

> -----Original Message-----
> From: Fernando Gont [mailto:fernando@gont.com.ar] 
> Sent: Saturday, July 15, 2006 11:43 AM
> To: Anantha Ramaiah (ananth); Joe Touch; tcpm@ietf.org
> Subject: RE: [tcpm] feedcback on tcp-secure-05
> 
> At 15:04 13/07/2006, Anantha Ramaiah \(ananth\) wrote:
> 
> > > The doc should also indicate that preventing these 
> attacks does NOT 
> > > prevent ICMP attacks (and cite Gont's draft in this regard); it 
> > > would be useful for the security considerations to 
> address whether 
> > > ICMPs should be blocked altogether and what the impact of 
> that would 
> > > be. Without such blocking, it's not clear what the 
> utility of this 
> > > solution would be.
> >
> >Ok.
> 
> I don't think tcpsecure should make any advice on what to do 
> with ICMP.
> 
> Just make it clear that the introduced mechanisms do not 
> prevent ICMP-based attacks against TCP, and provide a pointer 
> to draft-ietf-tcpm-icmp-attacks-00.txt .

I agree.. 

May be we should just say something like : "The mitigations discussed in
this document does not prevent ICMP attacks" and provide a citation to
your document.

One of the reasons why it was felt that the above isn't necessary is
because : tcpsecure refers Joe's antispoof which in turn refers your
document. 

> 
> If you are going to make any other statement on this issue, 
> state that the ICMP-based attacks are easier to perform, and 
> thus should be mitigated (if not, it's ICMP that is the 
> "weakest link in the chain").
> 
> You could also add that, fortunately, virtually every 
> implementation has mitigated the ICMP attacks described in 
> draft-ietf-tcpm-icmp-attacks-00.txt, by implementing most (if not
> all) the counter-measures described in that draft.

We really don't want to cause a bloat to the security considerations
section. Also the scope the document is limited and it is better to
stick to that. 
 
-Anantha
> 
> Kindest regards,
> 
> 
> --
> Fernando Gont
> e-mail: fernando@gont.com.ar || fgont@acm.org PGP 
> Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
> 
> 
> 
> 

_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email