IETF Logo Mail Archive

Re: [tcpm] ICMP attacks draft (issue 1): hard errors -> soft errors (in synchronized states)

Fernando Gont <fernando@gont.com.ar> Thu, 29 September 2005 15:34 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EL0QH-0003A3-Un; Thu, 29 Sep 2005 11:34:13 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EL0QG-00039y-Do for tcpm@megatron.ietf.org; Thu, 29 Sep 2005 11:34:12 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA18929 for <tcpm@ietf.org>; Thu, 29 Sep 2005 11:34:09 -0400 (EDT)
Received: from server.frh.utn.edu.ar ([170.210.17.146] ident=qmailr) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EL0Xu-0005Og-60 for tcpm@ietf.org; Thu, 29 Sep 2005 11:42:09 -0400
Received: (qmail 13931 invoked from network); 29 Sep 2005 15:33:16 -0000
Received: from 200-70-144-11.mrse.com.ar (HELO fgont.gont.com.ar) (gont-fernando@200.70.144.11) by server.frh.utn.edu.ar with SMTP; 29 Sep 2005 15:33:16 -0000
Message-Id: <6.2.0.14.0.20050929120406.03d79008@pop.frh.utn.edu.ar>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14
Date: Thu, 29 Sep 2005 12:15:26 -0300
To: Joe Touch <touch@ISI.EDU>
From: Fernando Gont <fernando@gont.com.ar>
Subject: Re: [tcpm] ICMP attacks draft (issue 1): hard errors -> soft errors (in synchronized states)
In-Reply-To: <433BDFB8.4090407@isi.edu>
References: <6.2.0.14.0.20050923075214.0428faa8@pop.frh.utn.edu.ar> <433411E2.3020005@isi.edu> <6.2.0.14.0.20050923125332.04320008@pop.frh.utn.edu.ar> <4334345F.2060301@isi.edu> <6.2.0.14.0.20050927013116.03fedc70@pop.frh.utn.edu.ar> <4339AB09.70501@isi.edu> <6.2.0.14.0.20050928034642.08012bf0@pop.frh.utn.edu.ar> <433BDFB8.4090407@isi.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 825e642946eda55cd9bc654a36dab8c2
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

At 09:36 a.m. 29/09/2005, Joe Touch wrote:

> >> You're application of the existing principle is based on your inference
> >> that everything you don't expect MUST be an attack, or at least MUST be
> >> treated as such.
> >
> > No. I'm just saying that one needs to be more cautious when processing
> > ICMP messages.
> > The ICMP messages could be part of an attack, or could be stale. In any
> > of these two cases, honoring them would be ill advice.
>
>That's true. The question is when/whether you can determine either. If
>you can't, then NOT honoring them is ill advice. The principle of 'be
>generous in what you receive' means it's more useful in general to
>assume the best, not the worst, of things you don't have other
>indications about.

It's not useful to open the door to attack. For instance, we are also 
working on spoofing attacks. If you want to be generous, then take all 
spoofed packets as legitimate.



> > The same policies that protect you from attack also protect you from
> > stale error messages.
> >
> >> IMO, 'be liberal in what you receive' (Postel's rationale) warrants that
> >> IF there is a legitimate or benign reason that the same packet could
> >> have arrived, then it MUST NOT be treated as an attack.
> >
> > I disagree. That's just an interpretation. I take it as "even something
> > you don't expect should not break your system" i.e. "you should be albe
> > to deal with unexpected packets nicely".
>
>Yeah - and these could be unexpected, but legitimate. So you interpret
>them as attacks and ignore them?

I don't necessarily take them as attack. And I disagree with your 
interpretation of the robustness principle, in 2005 (and up) it's fair to 
assume the environmnent is hostile. That's why there's a mandatory 
"Security Considerations" section in today's documents.



> >> I don't understand why the message indicates it's a soft error; it's
> >> clear that some of these messages are hard errors and intended as such
> >> (e.g., the case where TCPv4 disappears).
> >
> > Yes, *some*, and in *certain* circumstances/scenarios. The more
> > conservative way to go is to not break connections.
>
>Or break connections that are in the process of being established
>either. So which ID do you want to withdraw, this or the TCP soft-errors
>one? ;-)

The soft errors one is not for the Standards track, anymore.

And, as I said before, assuming that the same mechanism always implies the 
same policy is short-sighted.



>And conservative in this forum also includes "don't change the spec
>unless absolutely necessary". Near as I can tell, this is motivated
>solely by security, which it does not provide.

That's "rehashing the past", rather than "being conservative".



> >> > Anyway, again: the draft describes possible attacks, and possible ways
> >> > to address them. No need to "infer": Implement this if it's one of the
> >> > described attacks that is taking place, it will protect you. If it's
> >> > not, it won't hurt you.
> >>
> >> It will protect you from the firemen too (e.g., ICMPs for TCPv4 that
> >> disappears, as one example). Which DOES hurt you.
> >
> > I does not hurt. Remember: ICMP is unreliable. The ICMP error message
> > may be corrupted, may be subject to rate limitation, etc.
> > And again, processing of protocol unreachables is a SHOULD, not a MUST.
>
>And this changes it to a MUST NOT. Which I disagree with.

The app can still shoot itself, as my draft does not say the hard errors 
should not be signaled to the user application.



> > If you really think my proposal hurts, you should submit a proposal
> > entitled "Tunnelling ICMP over TCP", or the like.
>
>You've repeatedly suggested that if I don't like your drafts, I should
>write alternative drafts. Here's my perspective on this:

No, what I'm meaning is that if you think that treating hard errors as soft 
errors is ill-adviced, you should also arge that running ICMP over IP is 
ill-adviced.



>         not all IDs *SHOULD* go to RFC
>
>Sometimes the solution is to not write anything, and leave things as-is.

Me, a number of people here, the industry, and the IAB seem to have a 
different view on this draft. I respect yours, anyway.


--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org






_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email