Re: [tcpm] comments on draft-ietf-tcpm-icmp-attacks-05

[Joe Touch <touch@ISI.EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Fernando Gont wrote:
> Joe Touch wrote:
> 
>>>> 5) (general) Section 5.1, last paragraph, it
>>>> seems like we should be mentioning TCP-AO as
>>>> well here, though I don't think it changes any
>>>> part of the claim.
>>> Agreed. Maybe this is also an indication that TCP-AO *should* change
>>> something in this respect!
>> TCP-AO already addresses ICMP attacks in the security considerations
>> section, and requires there to be a way to disable reaction to ICMPs.
>> Like IPsec, though, we don't make a-priori assessments as to whether
>> ICMPs should be blocked or not on connections on which TCP-AO (or IPsec)
>> is used.
> 
> IIRC, the motivation for the TCP MD5 option was to mitigate RST-based
> reset attacks. Does it make any sense to have the option and still even
> consider reacting to ICMP error messages?

See Sec 6.1.1 of RFC4301. There are legitimate uses for these messages,
and turning them off should be up to the user.

> Reaction to ICMP "frag needed" is probably a little more difficult to
> assess (for obvious reasons), but reaction to ICMP hard errors is, IMO,
> a no-brainer, and I believe should default to "SHOULD NOT abort
> connections".

IPsec does not make that leap, nor is there a good reason to do so here.
 Like IPsec, we require that this be configurable, but don't specify a
default.

This is already noted in the Security Considerations section.

Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAko1tloACgkQE5f5cImnZrtnMgCgxsiBCpZL+FIHL03poEL4kDmf
e1MAnRmEKtXCQj8b4CqIN32Vr/RrMeYH
=JePm
-----END PGP SIGNATURE-----