Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks
Joe Touch <touch@ISI.EDU> Fri, 19 February 2010 17:37 UTC
Return-Path: <touch@ISI.EDU>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 95FFB28C1E0; Fri, 19 Feb 2010 09:37:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.491
X-Spam-Level:
X-Spam-Status: No, score=-2.491 tagged_above=-999 required=5 tests=[AWL=0.108, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BsMqAhgIvQWo; Fri, 19 Feb 2010 09:37:49 -0800 (PST)
Received: from nitro.isi.edu (nitro.isi.edu [128.9.208.207]) by core3.amsl.com (Postfix) with ESMTP id A9F1828C1B1; Fri, 19 Feb 2010 09:37:49 -0800 (PST)
Received: from [192.168.1.97] (pool-71-106-88-10.lsanca.dsl-w.verizon.net [71.106.88.10]) (authenticated bits=0) by nitro.isi.edu (8.13.8/8.13.8) with ESMTP id o1JHciWL011274 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 19 Feb 2010 09:38:45 -0800 (PST)
Message-ID: <4B7ECCA3.5000505@isi.edu>
Date: Fri, 19 Feb 2010 09:38:43 -0800
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Fernando Gont <fernando@gont.com.ar>
References: <20100218175622.61BB028C2E3@core3.amsl.com> <2002D196-D83C-4B44-870C-8E9A94D2D640@nokia.com> <4B7D8B9F.1010608@piuha.net> <4B7D8F55.90406@piuha.net> <4B7D92EB.7010407@isi.edu> <4B7DE6B7.4080209@gont.com.ar>
In-Reply-To: <4B7DE6B7.4080209@gont.com.ar>
X-Enigmail-Version: 0.96.0
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="------------enigB88E664430C81A4315A80713"
X-MailScanner-ID: o1JHciWL011274
X-ISI-4-69-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org, iesg@ietf.org
Subject: Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2010 17:37:50 -0000
Fernando Gont wrote: > Joe Touch wrote: > >>> This would seem to imply that the TCPM WG has decided to deviate from >>> the old IETF operating principle of "rough consensus and running code". >> The short answer is that there wasn't rough consensus for these changes >> in the WG, as explained in the note in the text. > > I believe that the short answer is that *you* have done everything that > was available to stop this document (and others) from moving forward. The doc contains many items, some of which continue to be completely inappropriate and incorrect (checking TCP sequence numbers), where others are somewhat reasonable (port randomization). One problem is that we never agreed on exactly what to focus on recommending, as well as that TCP isn't the only protocol affected by ICMP issues. Another problem is that some of the responses may be appropriate when under attack, but the overall tone of the document is that if a message is "unexpected" it is malicious. That's the antithesis of "be liberal in what you accept". > It is interesting to note that one of the issues with with you have > trashed this I-D is that it used vocabulary that could be taken as the > draft "recommending" the described counter-measures. Yet, as the editor > of the last version of the (close to infamous) TCP A-O effort, you have > crafted this text: > > " There are other mechanisms proposed to reduce the impact > of ICMP attacks by further validating ICMP contents and changing the > effect of some messages based on TCP state" > > Note the use of the term "proposed". (that's specifically what I'm > referring to). Yes, please do note it. "proposed" doesn't mean recommended. The full text is: There are other mechanisms proposed to reduce the impact of ICMP attacks by further validating ICMP contents and changing the effect of some messages based on TCP state, but these do not provide the level of authentication for ICMP that TCP-AO provides for TCP [Go09]. It goes on to include SOME of the recommendations in this doc (but notably not others, even though widely deployed). Note that these latter changes were included because of *your* input *after* last call. Joe
- [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Jari Arkko
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Joe Touch
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Jari Arkko
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Joe Touch
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Jari Arkko
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Joe Touch
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Fernando Gont
- [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Jari Arkko
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks David Harrington
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Smith, Donald
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Eddy, Wesley M. (GRC-MS00)[ASRC AEROSPACE CORP]
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Jari Arkko
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Joe Touch
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Joe Touch
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Joe Touch
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Joe Touch
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Fernando Gont
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Fernando Gont
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Joe Touch
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Joe Touch
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Fernando Gont
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Joe Touch
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Fernando Gont
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Joe Touch
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Fernando Gont
- [tcpm] TCP-AO (was: Re: TCPM and draft-ietf-tcpm-… Fernando Gont
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Joe Touch
- Re: [tcpm] TCP-AO Joe Touch
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Smith, Donald
- Re: [tcpm] TCPM and draft-ietf-tcpm-icmp-attacks Joe Touch