Re: [tcpm] comments on draft-ietf-tcpm-icmp-attacks-05

Joe Touch <touch@ISI.EDU> Mon, 15 June 2009 02:48 UTC

Return-Path: <touch@ISI.EDU>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 008663A6C95 for <>; Sun, 14 Jun 2009 19:48:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[AWL=0.152, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1eEDnCmnVoRy for <>; Sun, 14 Jun 2009 19:48:13 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2EE773A6C7D for <>; Sun, 14 Jun 2009 19:48:13 -0700 (PDT)
Received: from [] ( []) by (8.13.8/8.13.8) with ESMTP id n5F2lsYX008377; Sun, 14 Jun 2009 19:47:56 -0700 (PDT)
Message-ID: <>
Date: Sun, 14 Jun 2009 19:47:54 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird (Windows/20090302)
MIME-Version: 1.0
To: Fernando Gont <>
References: <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
Cc: "" <>, Fernando Gont <>
Subject: Re: [tcpm] comments on draft-ietf-tcpm-icmp-attacks-05
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Jun 2009 02:48:14 -0000

Hash: SHA1

Fernando Gont wrote:
> Joe Touch wrote:
>>>> 5) (general) Section 5.1, last paragraph, it
>>>> seems like we should be mentioning TCP-AO as
>>>> well here, though I don't think it changes any
>>>> part of the claim.
>>> Agreed. Maybe this is also an indication that TCP-AO *should* change
>>> something in this respect!
>> TCP-AO already addresses ICMP attacks in the security considerations
>> section, and requires there to be a way to disable reaction to ICMPs.
>> Like IPsec, though, we don't make a-priori assessments as to whether
>> ICMPs should be blocked or not on connections on which TCP-AO (or IPsec)
>> is used.
> IIRC, the motivation for the TCP MD5 option was to mitigate RST-based
> reset attacks. Does it make any sense to have the option and still even
> consider reacting to ICMP error messages?

See Sec 6.1.1 of RFC4301. There are legitimate uses for these messages,
and turning them off should be up to the user.

> Reaction to ICMP "frag needed" is probably a little more difficult to
> assess (for obvious reasons), but reaction to ICMP hard errors is, IMO,
> a no-brainer, and I believe should default to "SHOULD NOT abort
> connections".

IPsec does not make that leap, nor is there a good reason to do so here.
 Like IPsec, we require that this be configurable, but don't specify a

This is already noted in the Security Considerations section.

Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -