IETF Logo Mail Archive

RE: [tcpm] feedcback on tcp-secure-05

Fernando Gont <fernando@gont.com.ar> Sat, 15 July 2006 21:05 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G1rKW-0004nt-QG; Sat, 15 Jul 2006 17:05:40 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G1rKV-0004d5-Hf for tcpm@ietf.org; Sat, 15 Jul 2006 17:05:39 -0400
Received: from venus.xmundo.net ([201.216.232.56]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G1rKT-0001ZJ-T6 for tcpm@ietf.org; Sat, 15 Jul 2006 17:05:39 -0400
Received: from fgont.gont.com.ar (171-180-231-201.fibertel.com.ar [201.231.180.171]) (authenticated bits=0) by venus.xmundo.net (8.12.11/8.12.11) with ESMTP id k6FL5XJr022661; Sat, 15 Jul 2006 18:05:34 -0300
Message-Id: <7.0.1.0.0.20060715153423.08601b58@gont.com.ar>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0
Date: Sat, 15 Jul 2006 15:42:45 -0300
To: "Anantha Ramaiah (ananth)" <ananth@cisco.com>, Joe Touch <touch@ISI.EDU>, tcpm@ietf.org
From: Fernando Gont <fernando@gont.com.ar>
Subject: RE: [tcpm] feedcback on tcp-secure-05
In-Reply-To: <0C53DCFB700D144284A584F54711EC5801D9592B@xmb-sjc-21c.amer. cisco.com>
References: <0C53DCFB700D144284A584F54711EC5801D9592B@xmb-sjc-21c.amer.cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 69a74e02bbee44ab4f8eafdbcedd94a1
Cc:
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org

At 15:04 13/07/2006, Anantha Ramaiah \(ananth\) wrote:

> > The doc should also indicate that preventing these attacks
> > does NOT prevent ICMP attacks (and cite Gont's draft in this
> > regard); it would be useful for the security considerations
> > to address whether ICMPs should be blocked altogether and
> > what the impact of that would be. Without such blocking, it's
> > not clear what the utility of this solution would be.
>
>Ok.

I don't think tcpsecure should make any advice on what to do with ICMP.

Just make it clear that the introduced mechanisms do not prevent 
ICMP-based attacks against TCP, and provide a pointer to 
draft-ietf-tcpm-icmp-attacks-00.txt .

If you are going to make any other statement on this issue, state 
that the ICMP-based attacks are easier to perform, and thus should be 
mitigated (if not, it's ICMP that is the "weakest link in the chain").

You could also add that, fortunately, virtually every implementation 
has mitigated the ICMP attacks described in 
draft-ietf-tcpm-icmp-attacks-00.txt, by implementing most (if not 
all) the counter-measures described in that draft.

Kindest regards,


--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1






_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email