Re: [tcpm] TCP-AO and ICMP attacks (was Re: comments on draft-ietf-tcpm-icmp-attacks-05)
Joe Touch <touch@ISI.EDU> Tue, 16 June 2009 18:29 UTC
Return-Path: <touch@ISI.EDU>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8AD0C3A6D7A for <tcpm@core3.amsl.com>; Tue, 16 Jun 2009 11:29:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L9NIzwuyufX2 for <tcpm@core3.amsl.com>; Tue, 16 Jun 2009 11:29:55 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 75FFA3A6B73 for <tcpm@ietf.org>; Tue, 16 Jun 2009 11:29:55 -0700 (PDT)
Received: from [128.9.184.173] ([128.9.184.173]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n5GITepJ011825; Tue, 16 Jun 2009 11:29:41 -0700 (PDT)
Message-ID: <4A37E494.60904@isi.edu>
Date: Tue, 16 Jun 2009 11:29:40 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Fernando Gont <fernando@gont.com.ar>
References: <C304DB494AC0C04C87C6A6E2FF5603DB221796D53C@NDJSSCC01.ndc.nasa.gov> <4A30BED6.3050308@gont.com.ar> <4A32BD5F.5030503@isi.edu> <4A379700.3070808@gont.com.ar> <4A37A551.60800@isi.edu> <4A37D6FC.4040005@gont.com.ar>
In-Reply-To: <4A37D6FC.4040005@gont.com.ar>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: "tcpm@ietf.org" <tcpm@ietf.org>, Fernando Gont <fernando.gont@gmail.com>
Subject: Re: [tcpm] TCP-AO and ICMP attacks (was Re: comments on draft-ietf-tcpm-icmp-attacks-05)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2009 18:29:56 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fernando Gont wrote: > Joe Touch wrote: > >>> I think that for the sake of the "principle of least surprise", ICMP >>> hard errors SHOULD NOT abort connections for which TCP AO has been enabled. >> Please explain why you think that TCP-AO needs more strict advice in >> this regard than IPsec. > > Because TCP-AO is TCP-specific. IPsec is not. The term "TCP" is almost > not even mentioned in RFC 4301. So it wouldn't make sense for RFC 4301 > to get into the details of how a specific transport protocol (TCP) would > react to specific ICMP error messages. It does, though, in detail. > In the case of TCP-AO, it's TCP specific, and thus I believe it should > provide stricter advice wrt how TCP should react to ICMP error messages > when they are received for connections that employ TCP-AO. It's probably useful to split out the discussion of ICMP to a separate section. However, the advice therein seems like it should still not exceed what is in 4301 for the same reason for the same transport protocol - there are pros and cons of either leaving open or closing ICMP handling. This document is not a place where the difference between hard and soft ICMPs and TCP opening vs. established should be resolved, since it has not been resolved for TCP without authentication, and authentication does not apply to the ICMP messages. >>> What to do with "frag needed" might vary. Although one could argue that >>> you SHOULD implement PLPMTUD. >> --- >> >> We could add that TCP-AO, like IPsec (text copied from 4301): >> >> ...A compliant TCP-AO >> implementation MUST permit a local administrator to configure an >> IPsec implementation to accept or reject unauthenticated ICMP >> traffic. This control MUST be at the granularity of ICMP type and >> MAY be at the granularity of ICMP type and code. Additionally, an >> implementation SHOULD incorporate mechanisms and parameters for >> dealing with such traffic. For example, there could be the ability >> to establish a minimum PMTU for traffic (on a per destination basis), >> to prevent receipt of an unauthenticated ICMP from setting the PMTU >> to a trivial size. > > Makes sense to me. Although, again, I believe there should be (safe) > defaults for this. Defaults have generally been removed from the document for various reasons. >> We can add a discussion of PLPMTUD, but rfc4821 doesn't have any >> particular recommendations of implementation. We would need to be >> careful to not tie TCP-AO to PLPMTUD in a way that impedes TCP-AO >> deployment. > > I believe it could/should be suggested that PLPMTUD be implemented > without support for ICMP frag needed (i.e., ignore them). (FWIW, RFC4821 > leaves it open as to whether PMTUD should only be implemented for > dealing with ICMP blackholes, or as an ICMP-free version of PMTUD). There are a few possibilities: - use DF=0 - use DF=1 with PMTUD this requires ICMP frag-needed be passed which opens a vulnerability on that ICMP type however, the attack of additional frag-neededs could reduce efficiency but won't shut down TCP - use DF=1 with PLPMTUD this allows ICMP frag-needed to be dropped The security benefits of PLPMTUD are more significant when ICMPs are dropped more than when they are spoofed, but it can be noted. Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAko341sACgkQE5f5cImnZruR3gCgvJVChK96Gf8moejptPAu4RP7 1CgAnipyWxdfj+pzb4MN7RSv7ON3HmIx =ynAC -----END PGP SIGNATURE-----
- [tcpm] comments on draft-ietf-tcpm-icmp-attacks-05 Eddy, Wesley M. (GRC-MS00)[Verizon]
- Re: [tcpm] comments on draft-ietf-tcpm-icmp-attac… Eddy, Wesley M. (GRC-MS00)[Verizon]
- Re: [tcpm] comments on draft-ietf-tcpm-icmp-attac… Eddy, Wesley M. (GRC-MS00)[Verizon]
- Re: [tcpm] comments on draft-ietf-tcpm-icmp-attac… Fernando Gont
- Re: [tcpm] comments on draft-ietf-tcpm-icmp-attac… Fernando Gont
- Re: [tcpm] comments on draft-ietf-tcpm-icmp-attac… Joe Touch
- Re: [tcpm] comments on draft-ietf-tcpm-icmp-attac… Joe Touch
- Re: [tcpm] comments on draft-ietf-tcpm-icmp-attac… Eddy, Wesley M. (GRC-MS00)[Verizon]
- Re: [tcpm] comments on draft-ietf-tcpm-icmp-attac… Fernando Gont
- Re: [tcpm] comments on draft-ietf-tcpm-icmp-attac… Florian Weimer
- Re: [tcpm] comments on draft-ietf-tcpm-icmp-attac… Florian Weimer
- Re: [tcpm] comments on draft-ietf-tcpm-icmp-attac… Joe Touch
- Re: [tcpm] comments on draft-ietf-tcpm-icmp-attac… Joe Touch
- Re: [tcpm] comments on draft-ietf-tcpm-icmp-attac… Fernando Gont
- Re: [tcpm] comments on draft-ietf-tcpm-icmp-attac… Fernando Gont
- Re: [tcpm] comments on draft-ietf-tcpm-icmp-attac… Fernando Gont
- Re: [tcpm] comments on draft-ietf-tcpm-icmp-attac… Joe Touch
- Re: [tcpm] comments on draft-ietf-tcpm-icmp-attac… Joe Touch
- Re: [tcpm] comments on draft-ietf-tcpm-icmp-attac… Fernando Gont
- [tcpm] TCP-AO and ICMP attacks (was Re: comments … Fernando Gont
- Re: [tcpm] TCP-AO and ICMP attacks (was Re: comme… Joe Touch
- Re: [tcpm] TCP-AO and ICMP attacks (was Re: comme… Fernando Gont
- Re: [tcpm] TCP-AO and ICMP attacks (was Re: comme… Joe Touch
- Re: [tcpm] TCP-AO and ICMP attacks (was Re: comme… Fernando Gont
- Re: [tcpm] TCP-AO and ICMP attacks (was Re: comme… Joe Touch
- Re: [tcpm] TCP-AO and ICMP attacks (was Re: comme… Fernando Gont
- Re: [tcpm] TCP-AO and ICMP attacks (was Re: comme… Joe Touch
- Re: [tcpm] TCP-AO and ICMP attacks (was Re: comme… Fernando Gont
- Re: [tcpm] TCP-AO and ICMP attacks (was Re: comme… Joe Touch
- Re: [tcpm] TCP-AO and ICMP attacks (was Re: comme… Fernando Gont
- Re: [tcpm] TCP-AO and ICMP attacks (was Re: comme… Joe Touch