Re: [tcpm] feedcback on tcp-secure-05
Joe Touch <touch@ISI.EDU> Tue, 18 July 2006 13:42 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G2ppy-0002gm-7U; Tue, 18 Jul 2006 09:42:10 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G2ppw-0002dE-8r for tcpm@ietf.org; Tue, 18 Jul 2006 09:42:08 -0400
Received: from vapor.isi.edu ([128.9.64.64]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G2ppu-0001We-Sm for tcpm@ietf.org; Tue, 18 Jul 2006 09:42:08 -0400
Received: from [192.168.1.42] (pool-71-106-102-77.lsanca.dsl-w.verizon.net [71.106.102.77]) by vapor.isi.edu (8.11.6p2+0917/8.11.2) with ESMTP id k6IDfMH09780; Tue, 18 Jul 2006 06:41:22 -0700 (PDT)
Message-ID: <44BCE4FA.1050602@isi.edu>
Date: Tue, 18 Jul 2006 06:41:14 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
MIME-Version: 1.0
To: Fernando Gont <fernando@gont.com.ar>
Subject: Re: [tcpm] feedcback on tcp-secure-05
References: <0C53DCFB700D144284A584F54711EC5801D9592B@xmb-sjc-21c.amer.cisco.com> <7.0.1.0.0.20060715153423.08601b58@gont.com.ar> <44BB1882.6030904@isi.edu> <7.0.1.0.0.20060717052818.064b28b8@gont.com.ar>
In-Reply-To: <7.0.1.0.0.20060717052818.064b28b8@gont.com.ar>
X-Enigmail-Version: 0.94.0.0
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
X-Spam-Score: 0.0 (/)
X-Scan-Signature: bdc523f9a54890b8a30dd6fd53d5d024
Cc: tcpm@ietf.org, "Anantha Ramaiah (ananth)" <ananth@cisco.com>
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0861619968=="
Errors-To: tcpm-bounces@ietf.org
Fernando Gont wrote: > At 01:56 17/07/2006, Joe Touch wrote: > >> > You could also add that, fortunately, virtually every implementation >> has >> > mitigated the ICMP attacks described in >> > draft-ietf-tcpm-icmp-attacks-00.txt, by implementing most (if not all) >> > the counter-measures described in that draft. >> >> That last point doesn't obviate the issue that ICMP packets - even >> validated by the mitigations in the draft above - are still easier to >> spoof and can be spoofed by third parties than any of the attacks in >> tcp-secure. > > The counter-measures in the ICMP attacks draft eliminate the ICMP-based > connection reset, eliminate the Source Quench attack, and require the > attacker to be a Man In the Middle (*) for him to successfully perform > an attack against the PMTUD mechanism. The countermeasures there also violate the specific text in RFC1122, *without* noting (as per my other email) the "particular circumstances". Instead, it makes the general recommendation to change hard to soft errors. I've repeatedly said that the text below directly negates the requirement in RFC1122. That NEEDS to be directly highlighted in your doc (the text that says that 1122 allows this is incorrect): "For security reasons, it would be fair to treat ICMP port unreachable messages as soft errors (or completely ignore them) when they are meant for protocols that have their own mechanism for reporting this error condition." Again, I'm not going to debate this further either. I'll be glad to remind the ADs during review; if they agree, fine. > It is clear that with the ICMP counter-measures in place, TCP-based > attacks are "the weakest link in the change". You don't need to "drop > them all". Even as soft errors, such ICMP errors could be interpreted by the application as indicating a legitimate error that causes the connection to be dropped, even though the only reason is attack. However, perhaps I'm speaking more of what the ICMP draft should be corrected to be, rather than what it is ;-) Short of changing RFC1122, you're stuck regarding hard errors and resets, due (notably) to the DIRECT LANGUAGE in 1122 that equates the two. Joe
_______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05 Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Ted Faber
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Mitesh Dalal (mdalal)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch
- Re: [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch