IETF Logo Mail Archive

Re: [tcpm] feedcback on tcp-secure-05

Pekka Savola <pekkas@netcore.fi> Thu, 13 July 2006 17:44 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G15Ec-000071-Pw; Thu, 13 Jul 2006 13:44:22 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G15Eb-00006w-Dl for tcpm@ietf.org; Thu, 13 Jul 2006 13:44:21 -0400
Received: from eunet-gw.ipv6.netcore.fi ([2001:670:86:3001::1] helo=netcore.fi) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G15Ea-00014J-T4 for tcpm@ietf.org; Thu, 13 Jul 2006 13:44:21 -0400
Received: from localhost (pekkas@localhost) by netcore.fi (8.12.11.20060614/8.12.11) with ESMTP id k6DHiHpK008965 for <tcpm@ietf.org>; Thu, 13 Jul 2006 20:44:17 +0300
Date: Thu, 13 Jul 2006 20:44:17 +0300
From: Pekka Savola <pekkas@netcore.fi>
To: tcpm@ietf.org
Subject: Re: [tcpm] feedcback on tcp-secure-05
In-Reply-To: <44B682AB.9010702@isi.edu>
Message-ID: <Pine.LNX.4.64.0607132034230.8689@netcore.fi>
References: <44B682AB.9010702@isi.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Virus-Scanned: ClamAV 0.88.2/1594/Wed Jul 12 18:04:34 2006 on otso.netcore.fi
X-Virus-Status: Clean
X-Spam-Status: No, score=-0.0 required=5.0 tests=NO_RELAYS autolearn=failed version=3.1.2
X-Spam-Checker-Version: SpamAssassin 3.1.2 (2006-05-25) on otso.netcore.fi
X-Spam-Score: -2.8 (--)
X-Scan-Signature: 082a9cbf4d599f360ac7f815372a6a15
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org

Note: I have not read the spec.  I'd intend to do it once it gets into 
WGLC.  But some follow-up to some of Joe's points below,

On Thu, 13 Jul 2006, Joe Touch wrote:
> The doc continues to have a detailed but somewhat incomplete discussion
> of the attack scenario; the point of tcp-antispoof was to provide a much
> more detailed version of that discussion that should not be
> recapitulated but rather cited.

You couldn't just simply cite it without any summary though, as 
antispoof is heading Informational, and doing so would likely require 
a down-ref.

> No reasoning is given for numeric limits to ACK throttling (why 10 in 5
> seconds? why not a ratio of the number of conventional ACKs provided)

Simpler to implement, maybe?

> The doc should also indicate that preventing these attacks does NOT
> prevent ICMP attacks (and cite Gont's draft in this regard); it would be
> useful for the security considerations to address whether ICMPs should
> be blocked altogether and what the impact of that would be. Without such
> blocking, it's not clear what the utility of this solution would be.

First of all, your last comment is correct only in isolation, i.e., 
when ICMP attack protections have not been implemented but this is. 
In reality, all vendors have implemented ICMP attack protections for 
at least about 1.5 years.

I do no think this document should be saying anything about blocking 
ICMPs.  On the other hand, reference to ICMP attacks would probably 
make sense.  Whether there should be more extensive discussion of ICMP 
attacks might or might not make sense, depending on the how heavily 
this doc would depend on the security discussion of tcp-antispoof.

> The specific modifications suggested are given as loosely discussed
> recipes rather than a specific list of the modifications to TCP; IMO,
> the latter should be required.

I'd agree that specific modifications would likely be preferable.

In section 3.2 the text says:

    Instead, this document requires that implementations MUST perform the
    following steps in place of those specified in [RFC0793](listed
    above).

Just to be clear, I'd rather say:

    Instead, this document requires that implementations that
    implement this specification MUST perform the
    following steps in place of those specified in [RFC0793](listed
    above).

or something like that.  This doc is not making the behaviour of 793 
incompliant, surely.  But rather introducing a specification that, if 
implemented, must be done in a certain way.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email