Re: [Tsvwg] SCTP and ICMP Protocol Unreachable
Stephane Chazelas <Stephane@artesyncp.com> Fri, 22 September 2006 09:52 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GQhhZ-0008D6-Nb; Fri, 22 Sep 2006 05:52:09 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GQhhY-0008Cw-DA for tsvwg@ietf.org; Fri, 22 Sep 2006 05:52:08 -0400
Received: from caly80.spider.com ([194.217.109.12]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GQhhW-0002o4-Td for tsvwg@ietf.org; Fri, 22 Sep 2006 05:52:08 -0400
Received: from no.name.available by caly80.spider.com via smtpd (for ietf-mx.ietf.org [156.154.16.150]) with ESMTP; Fri, 22 Sep 2006 10:52:02 +0100
Received: from mailhub.spider.com (mailhub.spider.com [212.240.99.13]) by caly80.spider.com (Postfix) with ESMTP id 9C5A96F56; Fri, 22 Sep 2006 10:51:57 +0100 (BST)
Received: from mailhub.spider.com by mailhub.spider.com via smtpd (for [172.16.254.22] [172.16.254.22]) with ESMTP; Fri, 22 Sep 2006 10:51:57 +0100
Received: from ant.artesyncp.com ([10.95.129.182]) by batistuta.spider.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id T24275N8; Fri, 22 Sep 2006 10:46:15 +0100
Received: from stephane by ant.artesyncp.com with local (Exim 4.63) (envelope-from <stephane@artesyncp.com>) id 1GQhhN-0002b8-GW; Fri, 22 Sep 2006 10:51:57 +0100
Date: Fri, 22 Sep 2006 10:51:57 +0100
From: Stephane Chazelas <Stephane@artesyncp.com>
To: Randall Stewart <rrs@cisco.com>
Subject: Re: [Tsvwg] SCTP and ICMP Protocol Unreachable
Message-ID: <20060922095157.GC28642@artesyncp.com>
Mail-Followup-To: Randall Stewart <rrs@cisco.com>, sctp-impl@cisco.com, bidulock@openss7.org, Michael Tuexen <Michael.Tuexen@micmac.franken.de>, sctp-impl@external.cisco.com, IETF Transport Area Mailing List <tsvwg@ietf.org>
References: <161FAFDF-8B94-48B5-8477-0F2F85B75627@micmac.franken.de> <20060920094032.GA28221@artesyncp.com> <20060920055135.A30614@openss7.org> <9C48BA4E-7C94-4EF6-B2FD-3AD374552CF3@micmac.franken.de> <20060920120115.A5094@openss7.org> <2FB2577B-5E0D-4565-BD75-C8CFCD924D95@micmac.franken.de> <20060920123634.A6026@openss7.org> <451266D7.9090202@lakerest.net> <20060921132657.GF28221@artesyncp.com> <4512E2ED.8010702@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4512E2ED.8010702@cisco.com>
User-Agent: mutt-ng/devel-r562 (Linux)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5a9a1bd6c2d06a21d748b7d0070ddcb8
Cc: Michael Tuexen <Michael.Tuexen@micmac.franken.de>, sctp-impl@cisco.com, sctp-impl@external.cisco.com, bidulock@openss7.org, IETF Transport Area Mailing List <tsvwg@ietf.org>
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
Errors-To: tsvwg-bounces@ietf.org
On Thu, Sep 21, 2006 at 03:07:25PM -0400, Randall Stewart wrote: [...] > >>If you instead remove the ICMP message treated as an ABORT > >>you loose the ability to penalize attackers.. > >But what harm could the attacker do? > Go take a look at the bombing attacks listed > in the threats draft... Hi Randall, Maybe I'm not reading it correctly, but for some of those bombing attacks, there's more of a justification to drop the Protocol Unreachable. http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-sctpthreat-01.txt 5) is taken care of by the change to the RFC that every address must be confirmed first. So that only heartbeats are sent to the victims 6) the attacker will be able to resend its cookie quickly because the server considers the ICMP DUPrU as an ABORT. If it didn't it would have to close the association first. 8,9) unrelated. So it looks like an attacker can always have a server send a burst of heartbeats to victims whether or not the ICMP DUPrU is considered as an ABORT or not. [...] > >I can see firewalls send "port unreachables" when filtering on > >TCP services, that's a host level ICMP message as well. > > Port unreachable is even a stretch IMO.. but announcing > that a host does not support a protocol is way over > the top.. and is just plain broken. [...] Given that firewalls work at transport level, it may be considered legitimate that they inpersonate the destination. A firewall is a bit of a hack anyway. The problem is that IP doesn't provide them with tools to do their job, so they have to use hacks/work around. There's no ICMP to say "sorry, no TCP telnet on that path", so they have to fake a DUPoU from the destination instead. Similarly, there's no way to tell "sorry, no SCTP on that path", so they use the ICMP DUPrU. I'm not trying to push in either direction, I'm just pointing out that potential issue. The behavior of SCTP (considering the ICMP DUPrU as an abort) conflicts with that behavior of some firewalls. Now, we may question ourselves whether that bahavior is necessary. Maybe the right approach is to come up with new ICMP codes for usage by the firewalls. Best regards, Stephane
- [Tsvwg] SCTP and ICMP Protocol Unreachable Stephane Chazelas
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Michael Tuexen
- [Tsvwg] draft-ietf-tsvwg-addip-sctp-15.txt: Addin… Ivan.Arias-Rodriguez
- Re: [Tsvwg] draft-ietf-tsvwg-addip-sctp-15.txt: A… Mark Butler
- RE: [Tsvwg] draft-ietf-tsvwg-addip-sctp-15.txt: A… Ivan.Arias-Rodriguez
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Stephane Chazelas
- Re: [Tsvwg] draft-ietf-tsvwg-addip-sctp-15.txt: A… Mark Butler
- RE: [Tsvwg] draft-ietf-tsvwg-addip-sctp-15.txt: A… Ivan.Arias-Rodriguez
- Re: [Tsvwg] draft-ietf-tsvwg-addip-sctp-15.txt: A… Mark Butler
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Michael Tuexen
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Stephane Chazelas
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Brian F. G. Bidulock
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Brian F. G. Bidulock
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Michael Tuexen
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Michael Tuexen
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Brian F. G. Bidulock
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Michael Tuexen
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Brian F. G. Bidulock
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Michael Tuexen
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Brian F. G. Bidulock
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Randall Stewart
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Stephane Chazelas
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Randall Stewart
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Brian F. G. Bidulock
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Randall Stewart
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Stephane Chazelas
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Brian F. G. Bidulock
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Stephane Chazelas
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Brian F. G. Bidulock
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Stephane Chazelas
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Brian F. G. Bidulock
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Randall Stewart
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Stephane Chazelas
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Stephane Chazelas
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Randall Stewart
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Randall Stewart
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Stephane Chazelas
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Randall Stewart
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Stephane Chazelas
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Randall Stewart
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Michael Tuexen
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Michael Tuexen
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Stephane Chazelas
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Michael Tuexen
- Re: [Tsvwg] SCTP and ICMP Protocol Unreachable Brian F. G. Bidulock