[tcpm] TCP-AO and ICMP attacks (was Re: comments on draft-ietf-tcpm-icmp-attacks-05)

Fernando Gont <fernando@gont.com.ar> Tue, 16 June 2009 12:59 UTC

Return-Path: <fernando.gont.netbook.win@gmail.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id BDA3F3A6A76 for <tcpm@core3.amsl.com>; Tue, 16 Jun 2009 05:59:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id wGEEQRhABZeQ for <tcpm@core3.amsl.com>; Tue, 16 Jun 2009 05:59:29 -0700 (PDT)
Received: from mail-yx0-f115.google.com (mail-yx0-f115.google.com []) by core3.amsl.com (Postfix) with ESMTP id E65AE3A6882 for <tcpm@ietf.org>; Tue, 16 Jun 2009 05:59:28 -0700 (PDT)
Received: by yxe13 with SMTP id 13so12295yxe.29 for <tcpm@ietf.org>; Tue, 16 Jun 2009 05:58:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=L3xwLgm4jHZ9PLpuGXy3KKvpiTw//dO2NaOi66TPX04=; b=QNnaEmotkM7WL7gFT3VnpJiTHfwsLZsc42cqoaHfxlPhOI1jqTzaJg+h/l+0um3Ri5 qIscP0oRhFr7+MA9DnvNUE9BIfC5in8Z5hz3VyzaKYyB4B9+ntHOMEs17H8XnQJaw+Cy QYhfE1916SByeZGvsbiR7t/XgvibBaeZXRE5A=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=sgQJmYeh79xeTwvN4Idm+fTX4ZDyzCJFpxif7eM4DEqdLzWTapBcdt3DDGDfXo92fA QlpOIJow3wSnECjZebU+SPCy6/HAXqfI4rVNKsy3Y9CSLZuG6rR+5E8NsGfBMYLEX3gO KOvL1/4PmOQtcG2pXAhKem3aLkAmmzO1++OuI=
Received: by with SMTP id j10mr3552012agb.6.1245157130315; Tue, 16 Jun 2009 05:58:50 -0700 (PDT)
Received: from ? (host97.190-139-184.telecom.net.ar []) by mx.google.com with ESMTPS id 20sm1589994agd.38.2009. (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 16 Jun 2009 05:58:49 -0700 (PDT)
Sender: Fernando Gont <fernando.gont.netbook.win@gmail.com>
Message-ID: <4A379700.3070808@gont.com.ar>
Date: Tue, 16 Jun 2009 09:58:40 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Thunderbird (Windows/20090302)
MIME-Version: 1.0
To: Joe Touch <touch@ISI.EDU>
References: <C304DB494AC0C04C87C6A6E2FF5603DB221796D53C@NDJSSCC01.ndc.nasa.gov> <4A30BED6.3050308@gont.com.ar> <4A32BD5F.5030503@isi.edu>
In-Reply-To: <4A32BD5F.5030503@isi.edu>
X-Enigmail-Version: 0.95.7
OpenPGP: id=D076FFF1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: "tcpm@ietf.org" <tcpm@ietf.org>, Fernando Gont <fernando.gont@gmail.com>
Subject: [tcpm] TCP-AO and ICMP attacks (was Re: comments on draft-ietf-tcpm-icmp-attacks-05)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2009 12:59:29 -0000

Joe Touch wrote:

>>> 5) (general) Section 5.1, last paragraph, it
>>> seems like we should be mentioning TCP-AO as
>>> well here, though I don't think it changes any
>>> part of the claim.
>> Agreed. Maybe this is also an indication that TCP-AO *should* change
>> something in this respect!
> TCP-AO already addresses ICMP attacks in the security considerations
> section, and requires there to be a way to disable reaction to ICMPs.
> Like IPsec, though, we don't make a-priori assessments as to whether
> ICMPs should be blocked or not on connections on which TCP-AO (or IPsec)
> is used.

What's the point of enabling TCP-AO, if you are not going to disable (or
hard errors -> soft errors)?

I think that for the sake of the "principle of least surprise", ICMP
hard errors SHOULD NOT abort connections for which TCP AO has been enabled.

What to do with "frag needed" might vary. Although one could argue that
you SHOULD implement PLPMTUD.

Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1